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Preface 



Crypto 2004, the 24th Annual Crypto Conference, was sponsored by the Inter- 
national Association for Cryptologic Research (lACR) in cooperation with the 
IEEE Computer Society Technical Committee on Security and Privacy and the 
Computer Science Department of the University of California at Santa Barbara. 

The program committee accepted 33 papers for presentation at the confer- 
ence. These were selected from a total of 211 submissions. Each paper received 
at least three independent reviews. The selection process included a Web-based 
discussion phase, and a one-day program committee meeting at New York Uni- 
versity. 

These proceedings include updated versions of the 33 accepted papers. The 
authors had a few weeks to revise them, aided by comments from the reviewers. 
However, the revisions were not subjected to any editorial review. 

The conference program included two invited lectures. Victor Shoup’s invited 
talk was a survey on chosen ciphertext security in public-key encryption. Susan 
Landau’s invited talk was entitled “Security, Liberty, and Electronic Communi- 
cations”. Her extended abstract is included in these proceedings. 

We continued the tradition of a Rump Session, chaired by Stuart Haber. 
Those presentations (always short, often serious) are not included here. 

I would like to thank everyone who contributed to the success of this confer- 
ence. First and foremost, the global cryptographic community submitted their 
scientific work for our consideration. The members of the Program Committee 
worked hard throughout, and did an excellent job. Many external reviewers con- 
tributed their time and expertise to aid our decision-making. James Hughes, 
the General Chair, was supportive in a number of ways. Dan Boneh and Victor 
Shoup gave valuable advice. Yevgeniy Dodis hosted the PC meeting at NYU. 

It would have been hard to manage this task without the Web-based submis- 
sion server (developed by Chanathip Namprempre, under the guidance of Mihir 
Bellare) and review server (developed by Wim Moreau and Joris Claessens, under 
the guidance of Bart Preneel) . Terri Knight kept these servers running smoothly, 
and helped with the preparation of these proceedings. 
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Matt Franklin 
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Abstract. In this paper we study the long standing problem of informa- 
tion extraction from multiple linear approximations. We develop a formal 
statistical framework for block cipher attacks based on this technique 
and derive explicit and compact gain formulas for generalized versions of 
Matsui’s Algorithm 1 and Algorithm 2. The theoretical framework allows 
both approaches to be treated in a unified way, and predicts significantly 
improved attack complexities compared to current linear attacks using 
a single approximation. In order to substantiate the theoretical claims, 
we benchmarked the attacks against reduced-round versions of DES and 
observed a clear reduction of the data and time complexities, in almost 
perfect correspondence with the predictions. The complexities are re- 
duced by several orders of magnitude for Algorithm 1, and the significant 
improvement in the case of Algorithm 2 suggests that this approach may 
outperform the currently best attacks on the full DES algorithm. 

Keywords: Linear cryptanalysis, multiple linear approximations, 
stochastic systems of linear equations, maximum likelihood decoding, 
key-ranking, DES, AES. 



1 Introduction 

Linear cryptanalysis [8] is one of the most powerful attacks against modern cryp- 
tosystems. In 1994, Kaliski and Robshaw [5] proposed the idea of generalizing 
this attack using multiple linear approximations (the previous approach consid- 
ered only the best linear approximation). However, their technique was mostly 
limited to cases where all approximations derive the same parity bit of the key. 
Unfortunately, this approach imposes a very strong restriction on the approxima- 
tions, and the additional information gained by the few surviving approximations 
is often negligible. 

In this paper we start by developing a theoretical framework for dealing with 
multiple linear approximations. We first generalize Matsui’s Algorithm 1 based 

* This work was supported in part by the Concerted Research Action (GOA) Mefisto- 
2000/06 of the Flemish Government. 

** F.W.O. Researcher, Fund for Scientific Research - Flanders (Belgium). 

*** F.W.O. Research Assistant, Fund for Scientific Research - Flanders (Belgium). 
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on this framework, and then reuse these results to generalize Matsui’s Algo- 
rithm 2. Our approach allows to derive compact expressions for the performance 
of the attacks in terms of the biases of the approximations and the amount of 
data available to the attacker. The contribution of these theoretical expressions 
is twofold. Not only do they clearly demonstrate that the use of multiple ap- 
proximations can significantly improve classical linear attacks, they also shed a 
new light on the relations between Algorithm 1 and Algorithm 2. 

The main purpose of this paper is to provide a new generally applicable crypt- 
analytic tool, which performs strictly better than standard linear cryptanalysis. 
In order to illustrate the potential of this new approach, we implemented two 
attacks against reduced-round versions of DES, using this cipher as a well estab- 
lished benchmark for linear cryptanalysis. The experimental results, discussed 
in the second part of this paper, are in almost perfect correspondence with our 
theoretical predictions and show that the latter are well justified. 

This paper is organized as follows: Sect. 2 describes a very general maximum 
likelihood framework, which we will use in the rest of the paper; in Sect. 3 this 
framework is applied to derive and analyze an optimal attack algorithm based 
on multiple linear approximations. In the last part of this section, we provide 
a more detailed theoretical analysis of the assumptions made in order to derive 
the performance expressions. Sect. 4 presents experimental results on DES as 
an example. Finally, Sect. 5 discusses possible further improvements and open 
questions. A more detailed discussion of the practical aspects of the attacks and 
an overview of previous work can be found in the appendices. 

2 General Framework 

In this section we discuss the main principles of statistical cryptanalysis and 
set up a generalized framework for analyzing block ciphers based on maximum 
likelihood. This framework can be seen as an adaptation or extension of earlier 
frameworks for statistical attacks proposed by Murphy et al. [11], Junod and 
Vaudenay [3,4, 14] and Selguk [12]. 



2.1 Attack Model 

We consider a block cipher Ek which maps a plaintext P G V to a ciphertext 
C = Ek{P) G C. The mapping is invertible and depends on a secret key k G 1C. 
We now assume that an adversary is given N different plaintext-ciphertext pairs 
(PijCi) encrypted with a particular secret key k* (a known plaintext scenario), 
and his task is to recover the key from this data. A general statistical approach — 
also followed by Matsui’s original linear cryptanalysis — consists in performing 
the following three steps: 

Distillation phase. In a typical statistical attack, only a fraction of the infor- 
mation contained in the N plaintext-ciphertext pairs is exploited. A first step 
therefore consists in extracting the relevant parts of the data, and discarding 




On Multiple Linear Approximations 



3 



all information which is not used by the attack. In our framework, the distil- 
lation operation is denoted by a function ip : V x C ^ X which is applied to 
each plaintext-ciphertext pair. The result is a vector x = {x\, . . . , xn) with 
Xi = Ci), which contains all relevant information. If \X\ <C N, which is 
usually the case, we can further reduce the data by counting the occurrence of 
each element of X and only storing a vector of counters t = (to, • ■ • , t\x\-i)- 
In this paper we will not restrict ourselves to a single function ip, but consider 
m separate functions ipj, each of which maps the text pairs into different sets 
Xj and generates a separate vector of counters tj . 

Analysis phase. This phase is the core of the attack and consists in generating 
a list of key candidates from the information extracted in the previous step. 
Usually, candidates can only be determined up to a set of equivalent keys, 
i.e., typically, a majority of the key bits is transparent to the attack. In 
general, the attack defines a function a : K. Z which maps each key k 
onto an equivalent key class z = a{k). The purpose of the analysis phase is 
to determine which of these classes are the most likely to contain the true 
key k* given the particular values of the counters tj. 

Search phase. In the last stage of the attack, the attacker exhaustively tries 
all keys in the classes suggested by the previous step, until the correct key 
is found. Note that the analysis and the searching phase may be intermixed: 
the attacker might first generate a short list of candidates, try them out, and 
then dynamically extend the list as long as none of the candidates turns out 
to be correct. 



2.2 Attack Complexities 

When evaluating the performance of the general attack described above, we 
need to consider both the data complexity and the computational complexity. 
The data complexity is directly determined by N, the number of plaintext- 
ciphertext pairs required by the attack. The computational complexity depends 
on the total number of operations performed in the three phases of the attack. 
In order to compare different types of attacks, we define a measure called the 
gain of the attack: 



Definition 1 (Gain). If an attack is used to recover an n-bit key and is expected 
to return the correct key after having checked on the average M candidates, then 
the gain of the attack, expressed in bits, is defined as: 



7 = - log2 



2-M-l 

2 " 



( 1 ) 



Let us illustrate this with an example where an attacker wants to recover an 
n-bit key. If he does an exhaustive search, the number of trials before hitting 
the correct key can be anywhere from 1 to 2”. The average number M is (2” -|- 
l)/2, and the gain according to the definition is 0. On the other hand, if the 
attack immediately derives the correct candidate, M equals 1 and the gain is 
7 = n. There is an important caveat, however. Let us consider two attacks 
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which both require a single plaintext-ciphertext pair. The first deterministically 
recovers one bit of the key, while the second recovers the complete key, but 
with a probability of 1/2. In this second attack, if the key is wrong and only 
one plaintext-ciphertext pair is available, the attacker is forced to perform an 
exhaustive search. According to the definition, both attacks have a gain of 1 bit 
in this case. Of course, by repeating the second attack for different pairs, the 
gain can be made arbitrary close to n bits, while this is not the case for the first 
attack. 



2.3 Maximum Likelihood Approach 



The design of a statistical attack consists of two important parts. First, we need 
to decide on how to process the N plaintext-ciphertext pairs in the distillation 
phase. We want the counters tj to be constructed in such a way that they con- 
centrate as much information as possible about a specific part of the secret key 
in a minimal amount of data. Once this decision has been made, we can proceed 
to the next stage and try to design an algorithm which efficiently transforms this 
information into a list of key candidates. In this section, we discuss a general 
technique to optimize this second step. Notice that throughout this paper, we 
will denote random variables by capital letters. 

In order to minimize the amount of trials in the search phase, we want the 
candidate classes which have the largest probability of being correct to be tried 
first. If we consider the correct key class as a random variable Z and denote the 
complete set of counters extracted from the observed data by t, then the ideal 
output of the analysis phase would consist of a list of classes {z}, sorted according 
to the conditional probability Pr [Z = z \ t]. Taking the Bayesian approach, we 
express this probability as follows: 



Pr[Z = z\ t] 



Pr [T = t I z] • Pr [Z = z] 
Pr [T = t] 



(2) 



The factor Pr \Z = z] denotes the a priori probability that the class z contains 
the correct key k* , and is equal to the constant 1/|Z|, with |Z| the total number 
of classes, provided that the key was chosen at random. The denominator is 
determined by the probability that the specific set of counters t is observed, 
taken over all possible keys and plaintexts. The only expression in (2) that 
depends on z, and thus affects the sorting, is the factor Pr [T = t | z], compactly 
written as Pz(t). This quantity denotes the probability, taken over all possible 
plaintexts, that a key from a given class z produces a set of counters t. When 
viewed as a function of z for a fixed set t, the expression Pr [T = t | z] is also 
called the likelihood of z given t, and denoted by Lt(z), i.e., 



Lt(z)=P,(t) = Pr[T = t|z] . 

This likelihood and the actual probability Pr [Z = z | t] have distinct values, but 
they are proportional for a fixed t, as follows from (2). Typically, the likelihood 
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expression is simplified by applying a logarithmic transformation. The result is 
denoted by 

Ct{z) = logLt(z) 

and called the log-likelihood. Note that this transformation does not affect the 
sorting, since the logarithm is a monotonously increasing function. 

Assuming that we can construct an efficient algorithm that accurately esti- 
mates the likelihood of the key classes and returns a list sorted accordingly, we 
are now ready to derive a general expression for the gain of the attack. 

Let us assume that the plaintexts are encrypted with an n-bit secret key k*, 
contained in the equivalence class z*, and let Z* = Z\{z*} be the set of classes 
different from z*. The average number of classes checked during the searching 
phase before the correct key is found, is given by the expression 

1 + ^ Pr[CT{z)>CT{z*)\z*], 

where the random variable T represents the set of counters generated by a key 
from the class z*, given N random plaintexts. Note that this number includes 
the correct key class, but since this class will be treated differently later on, 
we do not include it in the sum. In order to compute the probabilities in this 
expression, we define the sets 7^ = {t | £t (^) > Ct{z*)}. Using this notation, 
we can write 

Pr[£T(z)>/:T(^*)U1= 

ter^ 

Knowing that each class z contains 2”/|Z| different keys, we can now derive the 
expected number of trials M * , given a secret key k* . Note that the number of keys 
that need to be checked in the correct equivalence class z* is only (2”/|Z| -|- l)/2 
on the average, yielding 



M* 




1+ T. 

zez* teT^ 



1 

2 ■ 



(3) 



This expression needs to be averaged over all possible secret keys k* in order to 
find the expected value M, but in many cases^ we will find that M* does not 
depend on the actual value of k*, such that M = M* . Finally, the gain of the 
attack is computed by substituting this value of M into (1). 



3 Application to Multiple Approximations 

In this section, we apply the ideas discussed above to construct a general frame- 
work for analyzing block ciphers using multiple linear approximations. 

^ In some cases the variance of the gain over different keys would be very significant. 
In these cases it might be worth to exploit this phenomenon in a weak-key attack 
scenario, like in the case of the IDEA cipher. 
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The starting point in linear cryptanalysis is the existence of unbalanced lin- 
ear expressions involving plaintext bits, ciphertext bits, and key bits. In this 
paper we assume that we can use m such expressions (a method to find them is 
presented in an extended version of this paper [1]): 



Pr 



P[x^p]®C[x^c]®K[x^k] = 0 



^3 > 






(4) 



with (P, C) a random plaintext-ciphertext pair encrypted with a random key K. 
The notation X [x] stands for Xi^ 0 Xi^ 0 ... 0 Xi ^ , where Xi^, . . . , Xi^ represent 
particular bits of X. The deviation Cj is called the bias of the linear expression. 

We now use the framework of Sect. 2.1 to design an attack which exploits 
the information contained in (4) . The first phase of the cryptanalysis consists in 
extracting the relevant parts from the N plaintext-ciphertext pairs. The linear 
expressions in (4) immediately suggest the following functions ipj'. 



Xpj = Ci) = P^[x'p\ 0 Ci[xc] ’ , 

with Xij G Xj = {0,1}. These values are then used to construct m counter 
vectors tj = {tj, N — tj), where tj and N — tj reflect the number of plaintext- 
ciphertext pairs for which Xij equals 0 and 1, respectively^. 

In the second step of the framework, a list of candidate key classes needs to 
be generated. We represent the equivalent key classes induced by the m linear 
expressions in (4) by an m-bit word z = (zi, . . . , Zm) with Zj = Note 

that m might possibly be much larger than n, the length of the key k. In this 
case, only a subspace of all possible m-bit words corresponds to a valid key class. 
The exact number of classes \Z\ depends on the number of independent linear 
approximations {i.e., the rank of the corresponding linear system). 



3.1 Computing the Likelihoods of the Key Classes 

We will for now assume that the linear expressions in (4) are statistically in- 
dependent for different plaintext-ciphertext pairs and for different values of j 
(in the next section we will discuss this important point in more details). This 
allows us to apply the maximum likelihood approach described earlier in a very 
straightforward way. In order to simplify notations, we define the probabilities 
Pj and qj, and the imbalances^ Cj of the linear expressions as 



1 1 0 C^' 1 

= 1 - Qj = ^ 2^ 



We start by deriving a convenient expression for the probability Pz(t). To 
simplify the calculation, we first give a derivation for the special key class 

^ The vectors tj are only constructed to be consistent with the framework described 
earlier. In practice of course, the attacker will only calculate tj (this is a minimal 
sufficient statistic). 

® Also known in the literature as “correlations” . 
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Fig. 1. Geometrical interpretation for m = 2. The correct key class 2 * has the second 
largest likelihood in this example. The numbers in the picture represent the number of 
trials M* when c falls in the associated area. 



z' = (0, . . . , 0). Assuming independence of different approximations and of dif- 
ferent (Pi,Ci) pairs, the probability that this key generates the counters tj is 
given by the product 




( 5 ) 



In practice, pj and qj will be very close to 1/2, and N very large. Taking this 
into account, we approximate the m-dimensional binomial distribution above by 
an TO-dimensional Gaussian distribution: 

The variable Cj is called the estimated imbalance and is derived from the counters 
tj according to the relation N ■{l + Cj)/2 = tj. For any key class z, we can repeat 
the reasoning above, yielding the following general expression: 



PAt ) « n 



77/2 






PA) 



e-f 



(6) 



This formula has a useful geometrical interpretation: if we take a key from a 
fixed key class z* and construct an m-dimensional vector c = (ci, . . . , Cm) by 
encrypting N random plaintexts, then c will be distributed around the vector 
cz* = {{-A^ci,...,{-iyrpcA according to a Gaussian distribution with a 
diagonal variance-covariance matrix I/An • Im, where Im Is an m x m identity 
matrix. This is illustrated in Fig. 1. From (6) we can now directly compute the 
log- likelihood: 
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N J . 

Ct{z) = logLt(z) = logP,(t) ■ Cjy . (7) 

i=i 

The constant C depends on m and N only, and is irrelevant to the attack. From 
this formula we immediately derive the following property. 

Lemma 1. The relative likelihood of a key class z is completely determined by 
the Euclidean distance |c — Cz|, where c is an m-dimensional vector containing 
the estimated imbalances derived from the known texts, and = ((— . . . , 

The lemma implies that Ct (z) > £t{z*) if and only if |c — Cz| < |c — c^. |. This 
type of result is common in coding theory. 



3.2 Estimating the Gain of the Attack 

Based on the geometrical interpretation given above, and using the results from 
Sect. 2.3, we can now easily derive the gain of the attack. 

Theorem 1. Given m approximations and N independent pairs (Pi,Ci), an 
adversary can mount a linear attack with a gain equal to: 



7 = - logs 



2 





(8) 



where <T{-) is the cumulative normal distribution function, = ((— . . . , 
(— and \Z\ is the number of key classes induced by the approximations. 

Proof. The probability that the likelihood of a key class z exceeds the likelihood 
of the correct key class z* is given by the probability that the vector c falls 
into the half plane = {c | |c — Cz| < |c — c^. |}. Considering the fact that c 
describes a Gaussian distribution around Cz» with a variance-covariance matrix 
1/VN-Im, we need to integrate this Gaussian over the half plane % and due to 
the zero covariances, we immediately find: 



Pt[£t{z) > £t{z*) \z*]=<P 



-Vn- 




By summing these probabilities as in (3) we find the expected number of trials: 



M* = 



2 ” 







1 

2 ■ 



(9) 



The gain is obtained by substituting this expression for M* in equation (1). □ 

The formula derived in the previous theorem can easily be evaluated as long as 
|Z| is not too large. In order to estimate the gain in the other cases as well, we 
need to make a few approximations. 
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Corollary 1. If \Z\ is sufficiently large, the gain derived in Theorem 1 can 
accurately he approximated by 



7 



-l0g2 



2 • 



| Z |-1 



2 | 





A 



f{N-cMz\), 



(10) 



where 

Proof See App. A. 

An interesting conclusion that can be drawn from the corollary above is that 
the gain of the attack is mainly determined by the product N ■ cP . As a, result, if 
we manage to increase by using more linear characteristics, then the required 
number of known plaintext-ciphertext pairs N can be decreased by the same 
factor, without affecting the gain. Since the quantity plays a very important 
role in the attacks, we give it a name and define it explicitly. 

Definition 2. The capacity cP of a system of m approximations is defined as 

m m 

i=i i=i 



3.3 Extension: Multiple Approximations and Matsui’s Algorithm 2 

The approach taken in the previous section can be seen as an extension of Mat- 
sui’s Algorithm 1. Just as in Algorithm 1, the adversary analyses parity bits 
of the known plaintext-ciphertext pairs and then tries to determine parity bits 
of internal round keys. An alternative approach, which is called Algorithm 2 
and yields much more efficient attacks in practice, consists in guessing parts of 
the round keys in the first and the last round, and determining the probability 
that the guess was correct by exploiting linear characteristics over the remaining 
rounds. In this section we will show that the results derived above can still be 
applied in this situation, provided that we modify some definitions. 

Let us denote by Zq the set of possible guesses for the targeted subkeys of the 
outer rounds (round 1 and round r). For each guess zq and for all N plaintext- 
ciphertext pairs, the adversary does a partial encryption and decryption at the 
top and bottom of the block cipher, and recovers the parity bits of the intermedi- 
ate data blocks involved in m different (r — 2)-round linear characteristics. Using 
this data, he constructs m' = jZoj • m counters tj, which can be transformed 
into a m'-dimensional vector c containing the estimated imbalances. 

As explained in the previous section, the m linear characteristics involve m 
parity bits of the key, and thus induce a set of equivalent key classes, which we 
will here denote by Zj (/ from inner). Although not strictly necessary, we will 
for simplicity assume that the sets Zq and Zj are independent, such that each 
guess zo G Zq can be combined with any class zi G Z/, thereby determining a 
subclass of keys z = (zo,zi) G Z with |Z| = |Zo| • |Z/|. 
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At this point, the situation is very similar to the one described in the previous 
section, the main difference being a higher dimension m' . The only remaining 
question is how to construct the m'-dimensional vectors for each key class 
z = (zo,zi). To solve this problem, we will need to make some assumptions. 
Remember that the coordinates of are determined by the expected imbalances 
of the corresponding linear expressions, given that the data is encrypted with 
a key from class z. For the m counters that are constructed after guessing the 
correct subkey zq, the expected imbalances are determined by z/ and equal to 
(— 1 ) 2 /, 1 ^ 1 , , _ ^ Pqj. each of the m! — m other counters, however, we 

will assume that the wrong guesses result in independent random-looking parity 
bits, showing no imbalance at all^. Accordingly, the vector Cz has the following 
form: 

Cz - (0, . . . , 0, . . . , 0, . . . , 0) 

With the modified definitions of Z and Cz given above, both Theorem 1 and 
Corollary 1 still hold (the proofs are given in App. A). Notice however that the 
gain of the Algorithm- 2-style linear attack will be significantly larger because it 
depends on the capacity of linear characteristics over r — 2 rounds instead of r 
rounds. 



3.4 Influence of Dependencies 

When deriving (5) in Sect. 3, we assumed statistical independence. This assump- 
tion is not always fulfilled, however. In this section we discuss different potential 
sources of dependencies and estimate how they might influence the cryptanalysis. 

Dependent plaintext— ciphertext pairs. A first assumption made by equa- 
tion (5) concerns the dependency of the parity bits with 1 < i < N, com- 
puted with a single linear approximation for different plaintext-ciphertext pairs. 
The equation assumes that the probability that the approximation holds for a 
single pair equals pj = 1/2 -|- e^, regardless of what is observed for other pairs. 
This is a very reasonable assumption if the N plaintexts are chosen randomly, 
but even if they are picked in a systematic way, we can still safely assume that 
the corresponding ciphertexts are sufficiently unrelated as to prevent statistical 
dependencies. 

Dependent text mask. The next source of dependencies is more fundamental 
and is related to dependent text masks. Suppose for example that we want to use 
three linear approximations with plaintext-ciphertext masks (xp, Xc)> (Xpj Xc)’ 
(Xp, Xc). and that Xp ® X^p ® Xp = Xc ® Xc ® Xc = 0- ^ is immediately clear 
that the parity bits computed for these three approximations cannot possibly be 
independent: for all (PpCj) pairs, the bit computed for the 3rd approximation 
a;y 3 is equal to a;yi 0 Xi^ 2 - 

^ Note that for some ciphers, other assumptions may be more appropriate. The rea- 
soning in this section can be applied to these cases just as well, yielding very similar 
results. 
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Even in such cases, however, we believe that the results derived in the pre- 
vious section are still quite reasonable. In order to show this, we consider the 
probability that a single random plaintext encrypted with an equivalent key z 
yields a vector® of parity bits x = (a:i, . . . ,Xm)- Let us denote by Xt 
catenation of both text masks Xp and Xc- Without loss of generality, we can 
assume that the m masks Xt linearly independent for 1 < j < I and linearly 
dependent (but different) for I < j < m. This implies that x is restricted to a 
^dimensional subspace TZ. We will only consider the key class z' = (0, . . . , 0) in 
order to simplify the equations. The probability we want to evaluate is: 

Pz' (x) = Pr [Xj = Xj for 1 < j < TO I z'] 

These (unknown) probabilities determine the (known) imbalances Cj of the linear 
approximations through the following expression: 

c, = ^P.<(x)-(-l)"M 

We now make the (in many cases reasonable) assumption that all 2* — to masks 
XT, which depend linearly on the masks Xt’ which differ from the ones 
considered by the attack, have negligible imbalances. In this case, the equation 
above can be reversed (note the similarity with the Walsh-Hadamard transform), 
and we find that: 

I m 

i=i 

Assuming that to • Cj <C 1 we can make the following approximation: 

i=i 

Apart from an irrelevant constant factor 2'"/2*, this is exactly what we need: 
it implies that, even with dependent masks, we can still multiply probabilities 
as we did in order to derive (5). This is an important conclusion, because it 
indicates that the capacity of the approximations continues to grow, even when 
TO exceeds twice the block size, in which case the masks are necessarily linearly 
dependent. 

Dependent trails. A third type of dependencies might be caused by merging 
linear trails. When analyzing the best linear approximations for DES, for exam- 
ple, we notice that most of the good linear approximations follow a very limited 
number of trails through the inner rounds of the cipher, which might result in 
dependencies. Although this effect did not appear to have any influence on our 
experiments (with up to 100 different approximations), we cannot exclude at 
this point tha t they will affect attacks using much more approximations. 

® Note a small abuse of notation here: the definition of x differs from the one used in 
Sect. 2.1. 
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Table 1. Attack Algorithm MK 1 and its complexity. 



Distillation phase. Obtain N plaintext-ciphertext pairs {pi,a). For 1 < 
j < m, count the number tj of pairs satisfying pi [Xp] © Ci [Xc] ~ 0 
compnte the estimated imbalance Cj = 2 ■ tj/N — 1. 

Analysis phase. For each eqnivalent key class z £ Z, determine the distance 

m 

|c - (cj - ■ cjf 

1=1 

and use these values to construct a sorted list, starting with the class with 
the smallest distance. 

Search phase. Run through the sorted list and exhaustively try all n-bit 
keys contained in the equivalence classes until the correct key is found. 



Data compl. Time compl. Memory compl. 
Distillation: 0(l/c^) 0(m/c^) 0{m) 

Analysis: - 0{m ■ \Z\) 0{\Z\) 

Search: - 0(2""^) 0{\Z\) 



Dependent key masks. We finally note that we did not make any assumption 
about the dependency of key masks in the previous sections. This implies that 
all results derived above remain valid for dependent key masks. 

4 Experimental Results 

In Sect. 3 we derived an optimal approach for cryptanalyzing block ciphers using 
multiple linear approximations. In this section, we implement practical attack 
algorithms based on this approach and evaluate their performance when applied 
to DES, the standard benchmark for linear cryptanalysis. Our experiments show 
that the attack complexities are in perfect correspondence with the theoretical 
results derived in the previous sections. 

4.1 Attack Algorithm MK 1 

Table 1 summarizes the attack algorithm presented in Sect. 2 (we call this al- 
gorithm Attack Algorithm MK f ). In order to verify the theoretical results, we 
applied the attack algorithm to 8 rounds of DES. We picked 86 linear approx- 
imations with a total capacity (? = 2“^^ ® (see Definition 2). In order to speed 
up the simulation, the approximations were picked to contain 10 linearly inde- 
pendent key masks, such that \Z\ = 1024. Fig. 2 shows the simulated gain for 
Algorithm MK 1 using these 86 approximations, and compares it to the gain of 
Matsui’s Algorithm 1, which uses the best one only (c^ = 2“^®-^). We clearly see 
a significant improvement. While Matsui’s algorithm requires about 2®^ pairs 
to attain a gain close to 1 bit, only 2^® pairs suffice for Algorithm MK 1. The 
theoretical curves shown in the figure were plotted by computing the gain using 
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the exact expression for M* derived in Theorem 1 and using the approximation 
from Corollary 1. Both fit nicely with the experimental results. 

Note, that the attack presented in this section is just a proof of concept, 
even higher gains would be possible with more optimized attacks. For a more 
detailed discussion of the technical aspects playing a role in the implementation 
of Algorithm MK 1, we refer to App. B. 

4.2 Attack Algorithm MK 2 

In this section, we discuss the experimental results for the generalization of Mat- 
sui’s Algorithm 2 using multiple linear approximations (called Attack Algorithm 
MK 2). We simulated the attack algorithm on 8 rounds of DES and compared 
the results to the gain of the corresponding Algorithm 2 attack described in 
Matsui’s paper [9]. 

Our attack uses eight linear approximations spanning six rounds with a total 
capacity = 2“^^ ®. In order to compute the parity bits of these equations, 
eight 6-bit subkeys need to be guessed in the first and the last rounds (how this 
is done in practice is explained in App. B). Fig. 3 compares the gain of the attack 
to Matsui’s Algorithm 2, which uses the two best approximations (c^ = 2“^^-^). 
For the same amount of data, the multiple linear attack clearly achieves a much 
higher gain. This reduces the complexity of the search phase by multiple orders 
of magnitude. On the other hand, for the same gain, the adversary can reduce 
the amount of data by at least a factor 2. For example, for a gain of 12 bits, the 
data complexity is reduced from 2^^ ® to 2^® ®. This is in a close correspondence 
with the ratio between the capacities. Note that both simulations were carried 
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Fig. 3. Gain (in bits) as a function of data (known plaintext) for 8-round DES. 



out under the assumption of independent subkeys (this was also the case for 
the simulations presented in [9]). Without this assumption, the gain will closely 
follow the graphs on the figure, but stop increasing as soon as the gain equals 
the number of independent key bits involved in the attack. 

As in Sect. 4.1 our goal was not to provide the best attack on 8-round DES, 
but to show that Algorithm-2 style attacks do gain from the use of multiple linear 
approximations, with a data reduction proportional to the increase in the joint 
capacity. We refer to App. B for the technical aspects of the implementation of 
Algorithm MK 2. 



4.3 Capacity DES Case Study 

In Sect. 3 we argued that the minimal amount of data needed to obtain a certain 
gain compared to exhaustive search is determined by the capacity of the linear 
approximations. In order to get a first estimate of the potential improvement of 
using multiple approximations, we calculated the total capacity of the best m 
linear approximations of DES for 1 < m < 2^®. The capacities were computed 
using an adapted version of Matsui’s algorithm (see [1]). The results, plotted for 
different number of rounds, are shown in Fig. 4 and 5, both for approximations 
restricted to a single S-box per round and for the general case. Note that the 
single best approximation is not visible on these figures due to the scale of the 
graphs. 

Kaliski and Robshaw [5] showed that the first 10 006 approximations with a 
single active S-box per round have a joint capacity of 4.92 • 10“^^ for 14 rounds 
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of DES®. Fig. 4 shows that this capacity can be increased to 4 • 10”^® when 
multiple S-boxes are allowed. Comparing this to the capacity of Matsui’s best 
approximation (c^ = 1.29-10“^^), the factor 38 gained by Kaliski and Robshaw is 
increased to 304 in our case. Practical techniques to turn this increased capacity 
into an effective reduction of the data complexity are presented in this paper, 
but exploiting the full gain of 10 000 unrestricted approximations will require 
additional techniques. In theory, however, it would be possible to reduce the 
data complexity form 2^® (in Matsui’s case, using two approximations) to about 
2®® (using 10 000 approximations). 

In order to provide a more conservative (and probably rather realistic) es- 
timation of the implications of our new attacks on full DES, we searched for 
14-round approximations which only require three 6-bit subkeys to be guessed 
simultaneously in the first and the last rounds. The capacity of the 108 best 
approximations satisfying this restriction is 9.83 • 10“^^. This suggests that an 
MK 2 attack exploiting these 108 approximations might reduce the data com- 
plexity by a factor 4 compared to Matsui’s Algorithm 2 (z.e., 2"^^ instead of 2"^®). 
This is comparable to the Knudsen-Mathiassen reduction [6], but would preserve 
the advantage of being a known-plaintext attack rather than a chosen-plaintext 
one. 

Using very high numbers of approximations is somewhat easier in practice 
for MK 1 because we do not have to impose restrictions on the plaintext and 
ciphertext masks (see App. B). Analyzing the capacity for the 10 000 best 16- 
round approximations, we now find a capacity of 5 • 10“^^. If we restrict the 
complexity of the search phase to an average of 2^® trials (z.e., a gain of 12 bits), 
we expect that the attack will require 2 ^^ known plaintexts. As expected, this 
theoretical number is larger than for the MK 2 attack using the same amount 
of approximations. 

5 Future Work 

In this paper we proposed a framework which allows to use the information 
contained in multiple linear approximations in an optimal way. The topics below 
are possible further improvements and open questions. 

® Note that Kaliski and Robshaw calculated the sum of squared biases: ^ = c^/4. 





16 



Alex Biryukov, Christophe De Canniere, and Michael Quisquater 



Application to 16 -round DES. The results in this paper suggest that Algo- 
rithms MK 1 and MK 2 could reduce the data complexity to 2^^ known 
plaintexts, or even less when the number of approximations is further in- 
creased. An interesting problem related to this is how to merge multiple lists 
of key classes (possibly with overlapping key-bits) efficiently. 

Application to AES. Many recent ciphers, e.g., AES, are specifically designed 
to minimize the bias of the best approximation. However, this artificial flat- 
tening of the bias profile comes at the expense of a large increase in the 
number of approximations having the same bias. This suggests that the gain 
made by using multiple linear approximations could potentially be much 
higher in this case than for a cipher like DES. Considering this, we expect 
that one may need to add a few rounds when defining bounds of provable se- 
curity against linear cryptanalysis, based only on best approximations. Still, 
since AES has a large security margin against linear cryptanalysis we do not 
believe that linear attacks enhanced with multiple linear approximations will 
pose a practical threat to the security of the AES. 

Performance of Algorithm MD. Using a very high number of independent 
approximations seems impractical in Algorithms MK 1 and MK 2, but could 
be feasible with Algorithm MD described in App. B.3. Additionally, this 
method would allow to replace the multiple linear approximations by multi- 
ple linear hulls. 

Success rate. In this paper we derived simple formulas for the average number 
of key candidates checked during the final search phase. Deriving a simple 
expression for the distribution of this number is still an open problem. This 
would allow to compute the success rate of the attack as a function of the 
number of plaintexts and a given maximal number of trials. 

6 Conclusions 

In this paper, we have studied the problem of generalizing linear cryptanalytic 
attacks given m multiple linear approximations, which has been stated in 1994 
by Kaliski and Robshaw [5]. In order to solve the problem, we have developed 
a statistical framework based on maximum likelihood decoding. This approach 
is optimal in the sense that it utilizes all the information that is present in the 
multiple linear approximations. We have derived explicit and compact gain for- 
mulas for the generalized linear attacks and have shown that for a constant gain, 
the data-complexity N of the attack is proportional to the inverse joint capacity 
of the multiple linear approximations: N ex 1/c^. The gain formulas hold for 
the generalized versions of both algorithms proposed by Matsui (Algorithm 1 
and Algorithm 2). 

In the second half of the paper we have proposed several practical methods 
which deliver the theoretical gains derived in the first part of the paper. We 
have proposed a key-recovery algorithm MK 1 which has a time complexity 
0{mjc^ + m ■ \Z\) and a data complexity 0(l/c^), where |Z| is the number of 
solutions of the system of m equations defined by the linear approximations. We 
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have also designed an algorithm MK 2 which is a direct generalization of Matsui’s 
Algorithm 2, as described in [9]. The performances of both algorithms are very 
close to our theoretical estimations and confirm that the data-complexity of the 
attack decreases proportionally to the increase in the joint capacity of multiple 
approximations. We have used 8-round DES as a standard benchmark in our 
experiments and in all cases our attacks perform significantly better than those 
given by Matsui. However our goal in this paper was not to produce the most 
optimal attack on DES, but to construct a new cryptanalytic tool applicable to 
a variety of ciphers. 
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A Proofs 



A.l Proof of Corollary 1 

Corollary 1. If \Z\ is sufficiently large, the gain derived in Theorem 1 can 
accurately he approximated by 
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(11) 



where is called the total capacity of the m linear characteristics. 

Proof. In order to show how (11) is derived from (8), we just need to construct 
an approximation for the expression 
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z^Z* 



) = ^ E . (12) 

/ I I 



We first define the function f{x) = ^(— y/A/4 • x). Denoting the average value 
of a set of variables by E[-\ we can reduce (12) to the compact expression 
E[f{x)\, with X = \cz — Cz* p. By expanding f(x) into a Taylor series around the 
average value x, we find 

E[f{x)] = fix) + 0 + f"(x) ■ E[{x - x)2] + . . . . 



Provided that the higher order moments of x are sufficiently small, we can use 
the approximation E[f{x)] « f{x). Exploiting the fact that the jth coordinate 
of each vector is either Cj or —Cj, we can easily calculate the average value x: 



|Z*| ^ 

' ' zG2* 



= 2 - 



■E' 

i=i 



When \Z\ is sufficiently large (say \Z\ > 2®), the right hand part can be ap- 
proximated by 2 • (remember that Z* = Z \ {z*}, and thus 

\Z*\ = \Z\ — 1). Substituting this into the relation E[fix)] « fix), we find 
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E^ 

zGZ* 




|c 



2 
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By applying this approximation to the gain formula derived in Theorem 1, we 
directly obtain expression (11). □ 
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A. 2 Gain Formulas for the Algorithm-2-Style Attack 

With the modified definitions of Z and Cz given in Sect. 3.3, Theorem 1 can 
immediately be applied. This results in the following corollary. 

Corollary 2. Given m approximations and N independent pairs (Pi,Ci), an 
adversary can mount an Algorithm- 2- style linear attack with a gain equal to: 




The formula above involves a summation over all elements of Z*. Motivated 
by the fact that \Z*\ = jZol • |Z/| — 1 is typically very large, we now derive 
a more convenient approximated expression similar to Corollary 1. In order to 
do this, we split the sum into two parts. The first part considers only keys 
z e Z* = Zi \ {z*} where Zi = {z | zq = Zq}; the second part sums over 
all remaining keys z G Z 2 = {z | zo yf Zq}- second case, we have that 

\cz — c^. p = 2 • = 2 • for all z G Z 2 , such that 




For the first part of the sum, we apply the approximation used to derive Corol- 
lary 1 and obtain a very similar expression: 




Combining both result we find the counterpart of Corollary 1 for an Algorithm- 
2-style linear attack. 

Corollary 3. If \Z\ is sufficiently large, the gain derived in Theorem 2 can 
accurately he approximated by 




where is the total capacity of the m linear characteristics. 

Notice that although Corollary 1 and 3 contain identical formulas, the gain of 
the Algorithm- 2-style linear attack will be significantly larger because it depends 
on the capacity of linear characteristics over r — 2 rounds instead of r rounds. 

B Discussion — Practical Aspects 

When attempting to calculate the optimal estimators derived in Sect. 3, the 
attacker might be confronted with some practical limitations, which are often 
cipher-dependent. In this section we discuss possible problems and propose ways 
to deal with them. 
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B.l Attack Algorithm MK 1 

When estimating the potential gain in Sect. 3, we did not impose any restrictions 
on the number of approximations m. However, while it does reduce the complex- 
ity of the search phase (since it increases the gain), having an excessively high 
number m increases both the time and the space complexity of the distillation 
and the analysis phase. At some point the latter will dominate, cancelling out 
any improvement made in the search phase. 

Analyzing the complexities in Table 1, we can make a few observations. We 
first note that the time complexity of the distillation phase should be compared 
to the time needed to encrypt N (x 1/c^ plaintext-ciphertext pairs. Given that 
a single counting operation is much faster than an encryption, we expect the 
complexity of the distillation to remain negligible compared to the encryption 
time as long as m is only a few orders of magnitude (say m < 100). 

The second observation is that the number of different key classes \Z\ clearly 
plays an important role, both for the time and the memory complexities of the 
algorithm. In a practical situation, the memory is expected to be the strongest 
limitation. Different approaches can be taken to deal with this problem: 

Straightforward, but inefficient approach. Since the number of different 
key classes |2| is bounded by 2"^, the most straightforward solution is to limit 
the number of approximations. A realistic upper bound would be to < 32. 
The obvious drawback of this approach is that it will not allow to attain 
very high capacities. 

Exploiting dependent key masks. A better approach is to impose a bound 
on the number I of linearly independent key masks x^k- This way, we limit 
the memory requirements to \Z\ = 2*, but still allow a large number of ap- 
proximations (for ex. a few thousands). This approach restricts the choice 
of approximations, however, and thus reduces the maximum attainable ca- 
pacity. This is the approach taken in Sect. 4.1. Note also that the attack 
described in [5] can be seen as a special case of this approach, with ^ = 1. 
Merging separate lists. A third strategy consists in constructing separate 
lists and merging them dynamically. Suppose for simplicity that the to key 
masks x'k considered in the attack are all independent. In this case, we can 
apply the analysis phase twice, each time using to/ 2 approximations. This 
will result in two sorted lists of intermediate key classes, both containing 
2 m /2 classes. We can then dynamically compute a sorted sequence of final 
key classes constructed by taking the product of both lists. The ranking of 
the sequence is determined by the likelihood of these final classes, which is 
just the sum of the likelihoods of the elements in the separate lists. This 
approach slightly increases^ the time complexity of the analysis phase, but 
will considerably reduce the memory requirements. Note that this approach 
can be generalized in order to allow some dependencies in the key masks. 

In cases where the gain of the attack is several bits, this approach will actually 
decrease the complexity, since we expect that only a fraction of the final sequence 
will need to be computed. 
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B.2 Attack Algorithm MK 2 

We now briefly discuss some practical aspects of the Algorithm-2-style multiple 
linear attack, called Attack Algorithm MK 2. As discussed earlier, the ideas of 
the attack are very similar to Attack Algorithm MK 1, but there are a number of 
additional issues. In the following paragraphs, we denote the number of rounds 
of the cipher by r. 

Choice of characteristics. In order to limit the amount of guesses in rounds 1 
and r, only parts of the subkeys in these rounds will be guessed. This restricts 
the set of useful r — 2-round characteristics to those that only depend on 
bits which can be derived from the plaintext, the ciphertext, and the partial 
subkeys. This obviously reduces the maximum attainable capacity. 
Efficiency of the distillation phase. During the distillation phase, all N 
plaintexts need to be analyzed for all \Zq\ guesses zq- Since \Zq\ is rather 
large in practice, this could be very computational intensive. For example, 
a naive implementation would require 0{N ■ \Zo\) steps and even Matsui’s 
counting trick would use 0{N + |2oP) steps. However, the distillation can 
be performed in 0{N + \Zo\) steps by gradually guessing parts of zq and 
re-processing the counters. 

Merging Separate lists. The idea of working with separate lists can be ap- 
plied here just as for MK 1. 

Computing distances. In order to compare the likelihoods of different keys, 
we need to evaluate the distance |c — c^j^ for all classes z G Z. The vectors 
c and Cz are both \Zo \ • m-dimensional. When calculating this distance as 
a sum of squares, most terms do not depend on z, however. This allows the 
distance to be computed very efficiently, by summing only m terms. 



B.3 Attack Algorithm MD (distinguishing/key-recovery) 

The main limitation of Algorithm MK 1 and MK 2 is the bound on the number 
of key classes \Z\. In this section, we show that this limitation disappears if 
our sole purpose is to distinguish an encryption algorithm Ek from a random 
permutation R. As usual, the distinguisher can be extended into a key-recovery 
attack by adding rounds at the top and at the bottom. 

If we observe N plaintext-ciphertext pairs and assume for simplicity that the 
a priori probability that they were constructed using the encryption algorithm 
is 1/2, we can construct a distinguishing attack using the maximum likelihood 
approach in a similar way as in Sect. 3. Assuming that all secret keys k are equally 
probable, one can easily derive the likelihood that the encryption algorithm was 
used, given the values of the counters t: 



F£;(t) 




N-t 

■Pj 



')■ 



This expression is correct if all text masks and key masks are independent, but 
is still expected to be a good approximation, if this assumption does not hold 
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(for the reasons discussed in Sect. 3.4). A similar likelihood can be calculated 
for the random permutation: 





Contrary to what was found for Algorithm MK 1, both likelihoods can be com- 
puted in time proportional to m, i.e., independent of \Z\. The complete distin- 
guishing algorithm, called Attack Algorithm MD consists of two steps: 

Distillation phase. Obtain N plaintext-ciphertext pairs For 1 < j < 

TO, count the number tj of pairs satisfying Pi[xp] © Cj[x^] = 0. 

Analysis phase. Compute ^^(t) and Lfl(t). If Lpit) > Lp{t), decide that 
the plaintexts were encrypted with the algorithm Ek (using some unknown 
key k). 

The analysis of this algorithm is a matter of further research. 



C Previous Work: Linear Cryptanalysis 

Since the introduction of linear cryptanalysis by Matsui [8-10], several gen- 
eralizations of the linear cryptanalysis method have been proposed. Kaliski- 
Robshaw [5] suggested to use many linear approximations instead of one, but 
did provide an efficient method for doing so only for the case when all the ap- 
proximations cover the same parity bit of the key. Realizing that this limited 
the number of useful approximations, the authors also proposed a simple (but 
somewhat inefficient) extension to their technique which removes this restriction 
by guessing a relation between the different key bits. The idea of using non- 
linear approximations has been suggested by Knudsen-Robshaw [7]. It was used 
by Shimoyama-Kaneko [13] to marginally improve the linear attack on DES. 
Knudsen-Mathiassen [6] suggest to convert linear cryptanalysis into a chosen 
plaintext attack, which would gain the first round of approximation for free. 
The gain is small, since Matsui’s attack gains the first round rather efficiently 
as well. 

A more detailed overview of the history of linear cryptanalysis can be found 
in the extended version of this paper [1]. 
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Abstract. In this paper we introduce the method of bi-linear crypt- 
analysis (BLC), designed specifically to attack Feistel ciphers. It allows 
to construct periodic biased characteristics that combine for an arbitrary 
number of rounds. In particular, we present a practical attack on DES 
based on a 1-round invariant, the fastest known based on such invariant, 
and about as fast as the best Matsui’s attack. For ciphers similar to DES, 
based on small S-boxes, we claim that BLC is very closely related to LC, 
and we do not expect to find a bi-linear attack much faster than by 
LC. Nevertheless we have found bi-linear characteristics that are strictly 
better than the best Matsui’s result for 3, 7, 11 and more rounds. 

For more general Feistel schemes there is no reason whatsoever for BLC 
to remain only a small improvement over LC. We present a construction 
of a family of practical ciphers based on a big Rijndael-type S-box that 
are strongly resistant against linear cryptanalysis (LC) but can be easily 
broken by BLC, even with 16 or more rounds. 

Keywords: Block ciphers, Feistel schemes, S-box design, inverse-based 
S-box, DES, linear cryptanalysis, generalised linear cryptanalysis, I/O 
sums, correlation attacks on block ciphers, multivariate quadratic equa- 
tions. 



1 Introduction 

In spite of growing importance of AES, Feistel schemes and DES remain widely 
used in practice, especially in financial/banking sector. The linear cryptanalysis 
(LC), due to Gilbert and Matsui is the best known plaintext attack on DES, see 
[4,25,27,16,21]. (For chosen plaintext attacks, see [21,2]). 

A straightforward way of extending linear attacks is to consider nonlinear 
multivariate equations. Exact multivariate equations can give a tiny improve- 
ment to the last round of a linear attack, as shown at Crypto’98 [18]. A more 
powerful idea is to use probabilistic multivariate equations, for every round, and 
replace Matsui’s biased linear I/O sums by nonlinear I/O sums as proposed by 
Harpes, Kramer, and Massey at Eurocrypt’95 [9]. This is known as Generalized 
Linear Cryptanalysis (GLC). In [10,11] Harpes introduces partitioning crypt- 
analysis (PC) and shows that it generalizes both LC and GLC. The correlation 
cryptanalysis (CC) introduced in Jakobsen’s master thesis [13] is claimed even 

M. Franklin (Ed.): CRYPTO 2004, LNCS 3152, pp. 23-40, 2004. 
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more general. Moreover, in [12] it is shown that all these attacks, including also 
Differential Cryptanalysis are closely related and can be studied in terms of the 
Fast Fourier Transform for the cipher round function. Unfortunately, computing 
this transform is in general infeasible for a real-life cipher and up till now, non- 
linear multivariate I/O sums played a marginal role in attacking real ciphers. 
Accordingly, these attacks may be excessively general and there is probably no 
substitute to finding and studying in details interesting special cases. 

At Eurocrypt’96 Knudsen and Robshaw consider applying GLC to Feistel 
schemes [20], and affirm that in this case non-linear characteristics cannot be 
joined together. We will demonstrate that GLC can be applied to Feistel ciphers, 
which is made possible with our “Bi-Linear Cryptanalysis” (BLC) attack. 

2 Feistel Schemes and Bi-linear Functions 

Differential [2] and linear attacks on DES [25, 1] have periodic patterns with 
invariant equations for some 1, 3 or 8 rounds. In this paper we will present 
several new practical attacks with periodic structure for DES, including new 
1-round invariants. 

2.1 The Principle of the Bi-linear Attack on Feistel Schemes 

In one round of a Feistel scheme, one half is unchanged, and one half is linearly 
combined with the output of the component connected to the other half. This will 
allow bi-linear I/O expressions on the round function to be combined together. 
First we will give an example with one product, and extend it to arbitrary bi- 
linear expressions. Then in Section 3 we explain the full method in details (with 
linear parts present too) for an arbitrary Feistel schemes. Later we will apply it 
to get concrete working attacks for DES and other ciphers. 

In this paper we represent Feistel schemes in a completely “untwisted” way, 
allowing to see more clearly the part that is not changed in one round. As a 
consequence, the orientation changes compared to most of the papers and we 
obtain an apparent (but extremely useful) distinction between odd and even 
rounds of a Feistel scheme. Otherwise, our notations are very similar to these 
used for DES in [23, 18]. For example Lq[o\ denotes a sum (XOR) of some subset 
a of bits of the left half of the plaintext. Combinations of inputs (or outputs) of 
round function number r = 1,2, .. . are denoted by A [a] (or [/?])• Our exact 
notations for DES will be explained in more details when needed, in Section 6.1. 
For the time being, we start with a simple rather self-explaining example (cf. 
Figure 1 ) that works for any Feistel cipher. 

Proposition 2.1.1 (Combining bi-linear expressions in a Feistel cipher). 

For all (even unbalanced) Feistel ciphers operating on n -I- n' bits with arbitrary 
round functions we have: Va C {1, . . . ,n},V/3 C {1, . . . ,n'}, Vr > 0: 

\t/2\ Yt/2\ 

Lr [a] [/?] © Lq [a] i?0 [/?] = 02i-l[a]l2i-l[l3\ © I2i[<y\02i[l3\ 

i=l i=l 



□ 
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From one product this fundamental result extends immediately, by linearity, 
to arbitrary bi-linear expressions. Moreover, we will see that these bi-linear ex- 
pressions do not necessarily have to be the same in every round, and that they 
can be freely combined with linear expressions (BLC contains LC). 

3 Bi-linear Characteristics 

For simplicity let n = n' . In this section we construct a completely general 
bi-linear characteristic for one round of a Feistel cipher. Then we show how it 
combines for the next round. Here we study bits locally and denote them by 
Ai, Bj etc. Later for constructing attacks for many rounds of practical Feistel 
ciphers we will use (again) the notations Li[ji, . . . ,jk] (cf. Section 6.1). 

3.1 Constructing a Bi-linear Characteristic for One Round 

Let 5 be a homogeneous bi-linear Boolean function GF(2”) x GF(2”) ^ GF{2). 
Let S {A\ , . . . , Aji , B\ , . . . , Bji ) — sij A^ Bj . 

Let /k be the round function of a Feistel cipher. We assume that there exist 
two linear combinations u and v such that the function: 

/ n R ^ ^ ^ijOiBj 0 ^ UiOi 0 ^ ViBi 

is biased and equal to 0 with some probability 'p with p = p{K) depending 

in some way on the round key K . 
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We have Ci = Ai (B Oi. By bi-linearity (or from Proposition 2.1.1) the fol- 
lowing holds: 

^ ^ ^ij Ail3j 0 ^ ) SijOiBj = ^ ) SijCiBj 

From this, for the first round, (could be also any odd-numbered round), we 
obtain the following characteristic: 



X) SijAiBj 0 Y, UiAi 0 Y = 

Y s^jC.Bj ®Y^iCi 



with probability p{K) 



Finally, we note that, the part linear in the Bt can be arbitrarily split in two 
parts: Y = Z) ® Z for alH = 1, . . . , n. 

All this is summarized on the following picture: 




Fig. 2. Constructing a bi-linear characteristic for an odd round of a Feistel cipher 



3.2 Application to the Next (Even) Round 

The same method can be applied to the next, even, round of a Feistel scheme, 
with the only difference that the round function is connected in the inverse 
direction. In this case, to obtain a characteristic true with probability yf 1/2, we 
need to have a bias in the function: 



Cl,..., 



Cl,..., 




Fig. 3. Constructing a bi-linear characteristic for an even round of a Feistel cipher 
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\ with (Pi,...,P„) = /x(C'i,...,C'„) 



3.3 Combining Approximations to Get a Bi-linear Attack 
for an Arbitrary Number of Rounds 

It is obvious that such I/O sums as specified above can be combined for an 
arbitrary number of rounds (contradicting [20] page 226). To combine the two 
characteristics specified above, we require the following three conditions: 

1. We need u = . 

2. We need = x. 

3. We need the homogenous quadratic parts s et t to be correlated (seen as 
Boolean functions). They do not have to be the same (though in many 
cases they will). In linear cryptanalysis (LC), a correlation between two 
linear combinations means that these linear combinations have to be the 
same. In generalized linear cryptanalysis (GLC) [9], and in particular here, 
for bi-linear I/O sums, it is no longer true. Correlations between quadratic 
Boolean functions are frequent, and does not imply that s = t. For these 
reasons the number of possible bi-linear attacks is potentially very large. 

Summary: We observe that bi-linear characteristics combine exactly as in LC 
for their linear parts, and that their quadratic parts should be either identical 
(with orientation that changes in every other round), or correlated. 

4 Predicting the Behaviour of Bi-linear Attacks 

The behaviour of LC is simple and the heuristic methods of Matsui [25] are 
known to be able to predict the behaviour of the attacks with good precision 
(see below). Some attacks work even better than predicted. As already suggested 
in [9,20] the study of generalised linear cryptanalysis is much harder. 

4.1 Computing the Bias of Combined Approximations 

A bi-linear attack will use an I/O sum for the whole cipher, being a sum of I/O 
sums for each round of the cipher such that the terms in the internal variables do 
cancel. To compute the probability the resulting equation is true, is in general not 
obvious. Assuming that the I/O sum uses balanced Boolean functions, (otherwise 
it will be even harder to analyse) one can apply the Matsui’s Piling-up Lemma 
from [25]. This however can fail. It is known from [9] that a sum of two very 
strongly biased characteristics can have a bias much weaker than expected. The 
resulting bias can even be exactly zero: an explicit example can be found in 
Section 6.1. of [9]. Such a problem can arise when the connecting characteristics 
are not independent. This will happen more frequently in BLC than in LC: 
two linear Boolean functions are perfectly independent unless equal, for non- 
linear Boolean functions, correlations are frequent. Accordingly, we do not sum 
independent random variables and the Matsui’s lemma may fail. 

At this stage there are two approaches: one can try to define a class of 
attacks that can be proved to work, and restrict oneself only to studying such 
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attacks, or try to explore all possible attacks, including those that do work 
experimentally without proof. This first approach is adopted in [9] : the Lemma 
6 gives a sufficient condition to guarantee that the Piling-up lemma will apply. 
For this the probability, that the characteristic is true, for a random partial key, 
should be independent of the input (e.g. the input of the whole round). This 
explains why Matsui’s attacks indeed work well. In [9] it allows to prove that the 
proposed family of GLC attacks based on homomorphic properties will work as 
predicted. We will also use this argument in Section 5. 

In this paper we frequently adopt rather the second approach: try find as 
many working attacks as possible, even if current theory does not allow to pre- 
dict their behaviour with accuracy. A price to pay for this is that each application 
of Matsui’s Lemma will be systematically questioned and confronted to experi- 
mental results. 

4.2 Key Dependence in Bi-linear Attacks 

Another important property of bi-linear cryptanalysis is that the existence of 
a bias for one characteristic does frequently depend on the key. This does not 
really happen for LC applied DES, because in DES all key bits are combined 
linearly and a linear equation will be true with probability either p or 1 — p 
depending on the key. However it will happen for LC and other ciphers, if key 
bits are involved in a more complex way, for example for ICE [22] . 

In bi-linear cryptanalysis, the behaviour becomes complex already when the 
key bits are combined linearly as in DES. Adding a constant (a key bit) to 
an input of an S-box, does not only modify the constant part in a bi-linear 
characteristic, but also the linear part. (We note that for DES only the linear 
part in the output variables will be modified when the key changes). From this, 
quite frequently two bi-linear characteristics for two parts of a cipher (e.g. for 
S-boxes) will only connect together for some keys. Such attacks are still very 
interesting and frequently also do work, with only a slightly weaker bias, for all 
the other keys. For simplicity, no key bits are displayed in bi-linear characteristics 
for one or several rounds of a cipher that are studied/displayed in this paper. 
The values of biases we will present (unless otherwise stated) are given for the 
reference key being zero. Yet typically we observed that they exist, and slightly 
vary in value, also for any other key (chosen at random). In rare cases, the bias 
works well only for a fraction of keys (e.g. 25 %): this happens in Appendix B.l. 

4.3 Exploring Bi-linear Cryptanalysis 

There are different approaches to finding interesting bi-linear attacks to block 
ciphers. In few cases one can construct attacks that will provably or arguably 
work (see [9] and later Section 5) . Another method is to construct characteristics 
“by hand” around some particularly strong bias found for one S-box. 

We noted the two major difficulties: predicting the bias of combined charac- 
teristics, and huge number of possible characteristics (including fragmentation 
due to the fact they the bias does in general depend on the key). These make 
it very difficult to have a systematic method (a computer program) that would 
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compute the best bi-linear characteristic for a given cipher. To check if an attack 
indeed works requires to be able to generate as many plaintexts as for the real 
attack. To find the best attack is even much harder. It requires to exhaustively 
search and reject lots of other combinations that should work well but they don’t. 
Each of them has to be tested on an equally large set of plaintexts. 

5 The Killer Example for Bi-linear Cryptanalysis 

We will construct a practical cipher that is very secure w.r.t. all known attacks 
for block ciphers, in particular for LC, yet broken by BLC. It mixes two group 
operations: the XOR and the multiplication in GF(2”) e.g. n = 32 or 64. It uses 
the inverse in GF(2") (cf. Rijndael): let Inv{X) = in GF(2") when X yf 0 
and 0 otherwise. We build a 2n-bit Feistel cipher with the i-th round function 
being: 



f,{X)=Inv{X)-{K,®G{X)) inGF(2"), (1) 

with Ki being the partial key, and G being some function with S-boxes and 
arbitrary components {0, 1}” ^ {0, 1}”. In order to get an insecure cipher, we 
need to assume that some linear combination of outputs of G is biased. For 
example, let Yi © Ys = 0 with probability 3/4. Building a cipher with G alone 
would be insecure for LC, however here G is composed by a group operation • 
with Inv{X). The Inv{X) assures global diffusion and very high non-linearity 
(cf. [3]). Accordingly our round function has very good resistance to linear and 
differential cryptanalysis for most G, even when G = 0. But not against BLC. 

First, we can consider a bi-linear attack with bi-linear equations over GF(2"): 
Vr > 0: 

\r/2^ Yr/2\ 

Lr ■ Rr (B Lq ■ Ro = 02i-l ' l2i-l © l2i ' 02i = h ' Oi ( 2 ) 

i—1 i—1 i—1 

Let X - Y = {Zi, . . . , Zn) with Zk = J2ij From (2), or if we prefer, 

directly from Proposition 2.1.1 and by symmetry = M/*, we get: 

r 

Vfc e {1, . . . , n}, Vr > 0 ^ M/-’ {LriRrj © Loi^oj) = (3) 

ij 1=1 ij 

Now, yi > I, Ii ■ Oi = K[ (B G{Ii) with probability (1 — 1/2”). We rewrite it: 
VfcG {!,..., n},V;>0 = iV,fc©Gfe(A) (4) 

^3 



Then we use the linear output bias of G: Gi 0 G5 = 0 with probability 3/4. 
v; > 0 ^ = iVii©Gi(A)©iV*5©G5(A) « Gi (5) 

ij ij 
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The last expression is equal to come constant denoted Ci with probability 
3/4. Finally, we combine with (3) (or equivalently sum these bi-linear expressions 
over the whole cipher with r rounds). 



' 11 

(^Ml^ 0 {L„Rrj © LoiRoj) = ^Ci with probability - 0 (6) 

ij 1=1 

What we obtained is a biased bi-linear I/O sum for the whole cipher. We can 
distinguish this cipher from a random permutation given about 2^’’“'"^ plaintexts. 
For example 16 rounds will be broken on a laptop PC. 

Does it work as predicted? In general, as we explain in Section 4.1, it is hard 
to predict accurately the behaviour of a composed bi-linear attack. However we 
have little doubt it will work: the Inv{X) should render possible correlation 
between approximations being combined negligible. In some case we can even 
prove that this attack works: when G = 0, and also when one fixed linear com- 
bination of output bits of G is 0, (the other parts can be arbitrary functions). In 
these cases, dependencies cannot be a problem: we add equations (5) true with 
probability 1 to get the equation (6) true with probability 1. 

Related work: Similar results were previously obtained for some substitution- 
permutation network (SPN) ciphers. In [9] Harpes, Kramer and Massey give 
an example of 8-bit SPN that is secure against LC and DC, but insecure for 
generalised linear cryptanalysis due to a probabilistic homomorphic property of 
each round relative to quadratic residuosity function modulo 2®©1. The Jakobsen 
attack for substitution ciphers that uses probabilistic univariate polynomials 
from [15] can also be seen as a special case of GLC. However, it is the first time 
that GLC allows to break a Feistel cipher, which contradicts the impossibility 
professed by Knudsen and Robshaw [20]. This cipher is built with state-of-art 
components (inverse in GK(2”)) and can in addition incorporate any additional 
fashionable component with lots of theory and designer tricks, as a part of G. 
Due to G it will not have homomorphic properties. Moreover, by adjusting the 
bias in G, the security of this cipher against BLC will be freely adjusted between 
(nearly) zero and infinity. It can therefore be arbitrarily weak for BLC, and this 
even for a very large number of rounds. Yet, the security against the usual attacks 
(LC, DC) should remain equally good (due to the big Inv S-box). 

6 Bi-linear Attacks on DES 

6.1 Notation 

We ignore the initial and final permutations of DES that have no incidence on the 
attacks. We use the “untwisted method” of representing DES, as on the right- 
hand figure, page 254 in [28]. The bit numbering is compatible with the FIPS 
standard [8], and [23, 18], and differs from Biham, Shamir [2] or Matsui [25,27]. 
We denote the bits of the left hand side of the plaintext by Lo[l] . . . Lo[n]. The 
bits of the right hand side are i?o[l] ■ ■ ■ Ro[n]. Similarly, as in other papers, the 
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plaintext after i rounds will be Li, Ri, except that we felt it necessary to have our 
notations completely “untwisted” which implies that our Li and Ri for an odd 
i = 1,3,... will be inversed compared to [23, 18, 28], Then, we apply the popular 
convention X[ii, . . . , i„]being X[ii] 0 ... 0 X[in\. For example To[9, 7, 23, 31] is 
the XOR of 4 bits of the left half of the plaintext that are added to the outputs 
of SI in the first round. We denote the input bits to the i—th round function by 
Ii[l],...,Ii [32] . Similarly the output bits will be Oi\l], . . . ,Oi[l\. 

For odd i we have J^j] = Ri-i[f\ = Ri[j] and Oi[j\ = T*-i[j] 0 Li[j]. 

For even i we have Ii[j\ = T*-i[j] = Li[j] and Oi[j\ = Rt-i[j\ 0 Rt[j\. 

For individual S-boxes, we will denote the inputs/outputs by respectively 
0[i\ and J[j] with i,j being directly the numbers 1..32 in the round function 
of DES. For example 0[8], 0[14], 0[25], 0[3] are the outputs of S-box S5, and 
J[16], . . . , J[21] are the inputs of this S-box S5. Depending on the key in round 
i, we have Ii[k] = Ji[k] or Ii[k] = Ji[k] + 1. For better readability, we will avoid 
naming precisely the key bits involved. 

6.2 First Example of Bi-linear Cryptanalysis of DES 

Our simulations on DES S-boxes (cf. Appendix A) show that the following two 
bi-linear characteristics exist for DES S-boxes SI and S5: 

0[8, 14, 25, 3] 0 J[17] • 0[3] = 0 for 55 with probability 17/64 

0[17] 0 J[3] • 0[17] = 0 for 51 with probability 47/64 

From these, acting as if all the key bits were zero {Ii[k] = Ji[k]), we deduce 
the following bi-linear characteristic for two rounds: 

. . Lo[3,8,14,25] ©Lo[3]Ao[17] © Ao[17]© 1 1 _ yf. ^-4 

L2[3,8,14,25] ©L2[3]A2[17] © A2[17] = A[st/i] j 2 

The explanation is given on the following picture: 



Lo[8,14,25,3] 



Li [8, 14, 25, 3] 



L2[8,14,25,3] 




Ro[l7] 



Ri[l7] 



17/64 



47/64 



R2[17] 



Fig. 4. Our first example - an invariant bi-linear attack on DES (*) 
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We verified this bias experimentally, and the probability is (we were lucky) 
equal to the probability that is predicted by Matsui’s Piling-Up Lemma. 

Key Dependence: Very surprisingly, the above equation (*) is biased, not only 
when all key bits are 0, but for every DES key. This can be seen to come from 
a couple of other (different) bi-linear characteristics from Appendix A. 

More rounds: It is easy to see from the picture, and we verified it experimen- 
tally, that (*) is also biased for 1,2, 3,4, 5, 6, 7, 8, 9, 10, 11, . . . rounds of DES, and 
all this happens to work about equally well for an arbitrary key. 

Relation to LC: The bias of (*) is closely related to some prominent equations 
of Matsui, see the extended version of this paper. 

6.3 Invariant Attacks on DES 

The equation (*) is an invariant equation, i.e. the input and the output bi-linear 
expressions are the same. We have found a simple invariant bi-linear I/O sum 
for DES that is biased for any key and for any number of rounds. For LC and 
DES, such simple invariant characteristics do exist, have been found by Biham 
(page 347 in [1]) in close relation to Davies-Murphy attack. The example (*) 
above is one of the best we found for DES, and so far it also the only known 
non-linear 1-round invariant attack on DES that works really well in practice. 
Our invariant on DES is stronger than Biham’s. We recall that Biham uses a 
bias on a sum of some outputs for two successive DES S-boxes. The best bias 
obtained by Biham (also exhibited by Matsui in [26] and contained unnoticed in 
the earlier Davies-Murphy attack [6,7]) is equal to (35/64— 1/2) for 2 rounds 
and for S-boxes S7-S8. This gives 1.4 • 2“^^ for 12 rounds. Instead, (*) gives 
experimentally only about 1.3 • 2“^®. Accordingly, (*) is the strongest known 
1-round invariant attack on DES. 

To break full DES requires a bias for 14 rounds (Matsui’s 2R method) and 
the Biham’s invariant requires then 2®° plaintexts. Our invariant attack requires 
about 2^® plaintexts (the bias of (*) for 14 rounds is expected to be about 2“^^, 
we did not dispose of a sufficient computing power to compute it exactly) . 

6.4 How Good Is Our First Example, BLC vs. LC 

These new properties of DES give a chosen-plaintext attack on an arbitrary 
number of rounds of DES, somewhat simpler than Matsui’s laborious search 
for the best linear characteristic. If we try here to predict the resulting bias 
for 14 rounds by applying the Matsui’s Piling-up formula, we would get for 14 
rounds the bias of: 1.63 • which means an attack on full DES with only 2®^ ® 
known plaintexts (!?). Unfortunately, unlike for LC in DES, such predictions are 
frequently not valid for BLC. Starting from 3 rounds, the bias of our invariant 
does not follow the prediction at all, yet remains significative. For example if we 
apply Matsui’s Piling-Up Lemma to predict the bias for 4 rounds as 2-1-2 rounds, 
we obtain 1.55 • 2“®, while in practice it is about 1.80 • 2“®. Our invariant attack 
seems very bad for 4 rounds, and unfortunately with (*) we never get a bias better 
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than obtained by Matsui. Yet, it is the best invariant attack on DES known, and 
for more than 4 rounds the results are again not so bad. Only slightly worse 
than Matsui. For example for 12 rounds the best result of Matsui from [25] gives 
1.19 • 2“^^, while for (*) and a random key our simulation gives 1.3 • 2“^®, To 
break full DES Matsui requires about 2^^ plaintexts, and with (*) we also need 
about 2"^^ (and both are related). In the full version of this paper we give a 
heuristic argumentation why for DES (but not in general !) the complexity of 
the best bi-linear attack should be roughly the same than for LC. 

For DES and 1-round invariants attacks extended to an arbitrary number of 
rounds, BLC gives strictly better results than LC. It is also so for more complex 
periodic constructions and we are going to see that BLC attacks can also be 
strictly better than any existing linear attack. 

6.5 Second Example of Bi-linear Cryptanalysis of DES 

In order to exhibit biases really better than Matsui we looked what is the best 
bi-linear characteristic that exists in DES: 

J[16,2O]0O[8, 14,25,3]0J[16, 17, 20] -Op] = 0 for S'5 with probability 61/64. 

We note that this equation can be seen as “causing” the existence of the 
Matsui’s best equation (A) for S5: their difference is highly biased. Based mainly 
on this, we constructed a periodic characteristic for 3,7, 11 and more rounds that 
is strictly better than the best results of Matsui for the same number of rounds. 

Proposition 6.5.1 (Our Best Attack on 11 Rounds of DES). For all keys, 
the following equation is biased for 11 rounds of DES: 

Lo[3,8,14,25]©Lo[3]Ao[16, 17,20]©Ao[17]© 1 ^ 

(**) Lii[3,8, 14,25]©Lii[3]Aii[16, 17,20]©Aii[17] = I - ± around 1.2 • 2" 
K[sth\ + K[sth'\Lo[i] + A[st/i"]Lii[3] J ^ 

The exact construction to achieve this is a bit complicated, (cf. Appendix 
B). The bias of this equation is strictly better than the best linear characteristic 
for 11 rounds obtained by Matsui (which gives 1.91 • 2“^® for 11 rounds). It has 
been verified by computer simulations at every stage. We note also that both 
are closely related: their difference, is a biased Boolean function. 

Our second example allows us to give an attack strictly better than Matsui 
for 1102=13 rounds of DES. For the full 16-round DES our results are roughly 
as good as Matsui (but we hope to improve this soon too). For 17 rounds of 
DES, as the construction of our second example (**) is periodic, we expect that 
for 1104=15 rounds it should also be better than the best bias of Matsui, which 
would allow to break 1502=17 rounds of DES faster than by LC. We do not 
dispose of a sufficient computing power to fully confirm this fact. 

7 Conclusion 

It was stated that for Feistel ciphers non-linear characteristics cannot be joined 
together for several rounds, see [20]. In this paper we show that generalised linear 
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cryptanalysis (GLC) is in fact possible for Feistel schemes. To achieve this goal, 
we introduced bi-linear cryptanalysis (BLC). It gives a new (and the fastest 
known) 1-round invariant attack on DES. Though more powerful, generalized 
linear cryptanalysis is unfortunately much harder to study than LC. At present 
heuristic constructions, to be confirmed (or not) by computer simulations are 
the only method known to explore it. BLC is related to LC in multiple important 
ways. It contains LC as a sub-set. LC can be used to construct good bi-linear 
characteristics and vice-versa. BLC also contains LC as an extension: a combi- 
nation of biased bi-linear characteristics may extend a concrete combination of 
biased linear characteristics by adding quadratic polynomials. Yet BLC can be 
strictly better than any (existing) linear attack. This was demonstrated for 3, 7, 
11 and more rounds of DES, and also for s^DES. 

In this paper we only initiate the study of bi-linear cryptanalysis. BLC and 
CLC extend the role of LC as an essential tool to evaluate the real-life security 
of many practical ciphers. An interesting contribution of this paper is to point 
out that, though CLC is excessively general to be systematically explored, the 
properties of the top-level structure of a cryptographic scheme (e.g. being a 
Feistel scheme) will determine the type of the attacks (e.g. BLC) that may indeed 
work. Our new attack can be quite devastating: we constructed a large family of 
practical ciphers based on big Rijndael-type S-box, that are strongly resistant 
against LC and all previously known attacks on Feistel ciphers, yet can be broken 
in practice with BLC for an important number of rounds. Fortunately, for DES, 
BLC gave only slight improvements over LC and does not cause excessive trouble. 
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A Selected Bi-linear Characteristics of DES S-Boxes 

In this section we give some bi-linear characteristics for DES S-boxes. Our results 
are not exhaustive: the number of possible bi-linear characteristics is huge and 
we do not have a fast method to find all interesting characteristics. Accordingly 
we are not certain to have found the best existing characteristics. It is certain 
that there is no characteristics true with probability 1, as these are easy to check 
algebraically. Otherwise we explored all cases that use up to two products and 
we conjecture that the other does not have practical relevance for the security 
of DES. We give here some interesting results we have found. More will appear 
in the extended version of this paper. 



Table 1. A few selected bi-linear characteristics for DES S-boxes 





equation 


remarks and 
comments 


input 


output 


input*output 


S5 


12/64 


17 


8, 14,25,3 




Matsui’s equation A 


S5 


6/64 


17 


8, 14,25,3 


[17] *[8,14, 25, 3] 


gets better 


S5 


58/64 






[17] *[8,14, 25, 3] 




S5 


8/64 


17 


8, 14,25,3 


[16, 17, 20] * [8] 




S5 


8/64 


16,20 


8, 14,25 


[16, 20] * [8, 14, 25] 




S5 


61/64 


16,20 


8, 14,25,3 


[16, 17, 20] * [3] 


the best in DES 


S5 


47/64 




8, 14,25 


17*3 




S5 


17/64 




8, 14,25,3 


17*3 




S5 


47/64 






17*3 




S5 


49/64 




3 


17*3 




S5 


49/64 


17 




17*3 




S5 


17/64 


17 


3 


17*3 




SI 


30/64 


3 


17 




Matsui’s equation C 


SI 


15/64 


3 


17 


3* 17 


gets better 


SI 


47/64 




17 


3* 17 




SI 


47/64 


3 




3* 17 




SI 


49/64 






3* 17 




S2 


8/64 


5 


13,28, 18 


8*2 




54 


56/64 






[12, 14, 16, 17] * [26, 1] 


(there are many similar) 


56 


38/64 




11,19 


21 * 29 




57 


11/64 


25,28 


32,12,7 


28* 12,27* 22 




58 


40/64 




5,27, 15 


29*21 





B Improved Bi-linear Attacks for DES 

The goal of this section is to find or construct examples where bi-linear crypt- 
analysis gives strictly better bias on DES than the best Matsui’s result. 

We look at the best Matsui’s characteristic on 3 rounds given at the last 
page of [25]. By itself, it can be considered as very good, even compared to 
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other Matsui’s characteristics: it uses twice the best element (A) of Matsui, and 
nothing between them. Moreover, this element (A) is in itself the best linear 
characteristic that exist in DES, first described by Shamir in [30]: 

(A) J[17] 0 0[8, 14, 25, 3] = 0 for 55 with probability 12/64 

From this we get immediately, using Matsui’s Piling-Up Lemma from [25], 
that for 3 rounds, and for any key, the following equation is biased: 

Lo[8, 14, 25,3] ©Ao [17]© 

Lsk 14, 25, 3] © As [17] = K[sth] 

We call Matsui-3 this equation. 

B.l Improving on Matsui-3 

We will show that with bi-linear characteristics, there are strictly better equa- 
tions than Matsui-3. Our simulations looking for the best bi-linear characteristics 
for DES S-boxes (cf. Appendix A), showed that the best one is the following: 

J[16,2O]©O[8,14,25,3]0J[16,17,2O]-O[3] = 0 for 55 with probability 61/64 

Remark: It is clearly related to, and can be seen as “causing” the existence of 
the Matsui’s equation (A): their difference is naturally biased. 

We will use this characteristic. Let KS5 denote the combination of the S-box 
S5 and the key bits XORed to its inputs. It is easy to see that for KS5, if we 
denote by K[sth] some constant linear combination of key bits, for any key, one 
of the following equations is always strongly biased: 

(al) /[16, 20] © 0[8, 14, 25, 3] © J[16, 17, 20] • 0[3] = K[sth] 

or [bias] = 1/2 — 3/64 

(a2) /[16, 20] © 0[8, 14, 25] © 7[16, 17, 20] • 0[3] = K[sth] 

In our construction, we will use one of the above, and we will also use another, 
naturally biased equation, which will be one of the following: 

(b) 0[16, 17, 20] © 7[3] • 0[16, 17, 20] = 0 

and [bias] = 1/2 — 1/4 

(c) J[3] © 0[16, 17, 20] © J[3] • 0[16, 17, 20] • 0[3] = 0 






Now we are ready to construct characteristics for 3 rounds of DES. 
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Lo[8,14,25,3] 



Li [8, 14, 25, 3] 



KS5 

en [8,14,25,3] [16,20] 

[3]*[16,17,20] 

Li[3]i?i[16,17,20] 



L2[8,14,25,3] 



Lo[3]i?o[16,17,20] 



(natural) 

[16,17,2O]|-0 
[3]*[16,17,20] 

7.2[3]i?2[16,17,20] 



KS5 

en [8,14,25,3] [16,20] 

[3]*[16,17,20] 



i?o[17] 

3/64 
i?i[16,17,20] 
3/4 
i?2 [16, 17,20] 
3/64 



L3[8, 14, 25, 3] I Lap] * i?3[16, 17, 20] | i?3[17] 

Fig. 5. Combining al-b-al to get a characteristic for 3 rounds of DES 



Lo[8,14,25] 



Lo[3]i?o[16,17,20] 



Li[8,14,25] 



L2[8,14,25,3] 



L3[8,14,25,3], 




(natural) 

[3] [16,17,20] 

[3]*[16,17,20] 

L2[3]i?2[16,17,20] 

KS5 

[8,14,25,3] [16,20] 

[3]*[16,17,20] 



Lap] *i?3[16,17,20], 



i?o[17] 

3/64 
i?i[16,17,20] 
) 1/4 

i?2 [16, 17,20] 
3/64 

i?3[17] 



Fig. 6. Combining a2-c-al to get a characteristic for 3 rounds of DES 



As one should expect, our construction goes as follows: 

o In round 1 and 3, depending on the key either al or a2 is strongly biased, 
o To connect al to al, or a2 with a2, we can use b, as in Figure 5. 
o To connect al with a2 and the reverse, we use c, as in Figure 6. 
o For 3 rounds and for any key, we always have a strong bias on one of the 
four possibilities: al-b-al, al-c-a2, a2-c-al, a2-b-a2. 
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o From Matsui’s Piling-Up Lemma, we expect that the whole characteristic 
will be true with probability ^ ± 1.64 • 2“^. Our simulations show that it is 
between i ± 1.65 • 2"3 and i ± 1.67 • 2"3. 
o Since, the choice of al/a2 depends on a linear combination of key bits. We 
can combine all these into one equation and we get the following result: 

Proposition B.1.1 (Our Best Attack on 3 Rounds of DES). For all keys, 
the following equation is biased for 3 rounds of DES: 

Lo[3,8,14,25] ©Lo[3]i?o[16,17,20] ©7?o[17]© I 
(**) L3[3,8,14,25] ©L3[3]i?3[16,17,20] ©7?3[17] = I 

K[sth] + K[sth']Lo[3] + K[sth"]R3[3] ) ^ 

In comparison, Matsui-3 gives ^ — 1.56 • 2“^. Bi-linear cryptanalysis works 
better than LC. In the next section we will extend this result (and again beat 
Matsui) to 7, 11 and more rounds. 

Remark: The equation above can be seen as 4 different equations, each of them 
is highly biased for 1/4 of all keys. We observed that each of the 4 equations 
is also biased for all DES keys, except that for 3/4 of them the bias is much 
weaker, we get about | ± 1.6 • 2“’^. 

B.2 Extending the Result for 7, 11 and More Rounds 

The idea is to find an element (maybe not very good in itself) that will allow to 
connect together our (very good) characteristics on 3 rounds. For example, to 
connect Figure 5 with Figure 6 we use the following element: 



L3[8,14,25,3] 



L3[3]R3[16,17,20 






Sl±natural 


’ ’ 


-► 


[ 3 ] [ 17 ] 






[ 3 ]*[ 16 , 17 , 20 ] 




1 L4[3]R4[16,17,20 


’ ' 



i?3[17] 

1/2 ±0.8/64 



Fig. 7. Connecting the output of al to the input of a2 



Simulations show that, for any key, this characteristic is true with probability 
about 1/2 ± 0.8/64. The explanation is as follows: the bias is due to to the 
combination of Matsui’s equation (C) 

(C) J[3] © 0[17] = 0 for 51 with probability 30/64 

and of the fact that /[3] • 0[16,17, 20] is naturally biased. The same element 
(Figure 7) does also work to connect a2 to al. 

It remains to be seen how the connection between al and al or a2 and a2. 
This is done in a very similar way: we combine (C) with /[3] © 7[3] • 0[16, 17, 20] 
that is also naturally biased. 
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Summary: In every of 4 possible cases, there is a connecting element based 
on (C). This means that, also for 7 rounds and for any key, again one of the 
four possibilities is quite biased: al-b-al, al-c-a2, a2-c-al, a2-b-a2. Again we 
can recompose it in a single attack: 

Proposition B.2.1 (Extension to 7 Rounds of DES). For all keys, the 
following equation is biased for 7 rounds of DES: 

Lo[3,8,14,25]©Lo[3]Ao[16, 17,20]©Ao[17]© I 

Lt[ 3, 8, 14, 25] © L7[3]7?7[16, 17, 20] © i?3[17] = ^ - ± about 2"® 

K[sth] + K[sth'\Lo[i] + A[st/i"]L7[3] J ^ 

This bias is, depending on the key, sometimes better, sometimes worse than 
Matsui-7 that gives ^ — 1.95 • 2”^°. 

Finally, it is now obvious, that our construction works also for 11, 15, 19 
rounds etc. We verified experimentally that for 11 rounds we have: 

Proposition B.2.2 (Our Best Attack on 11 Rounds of DES). For all 

keys, the following equation is biased for 11 rounds of DES: 

Lo[3,8, 14,25]©Lo[3]Ao[16,17,20]©7?o[17]© ) 

Lii[3,8, 14,25]©Lii[3]Aii[16, 17,20]©Aii[17] = \ - ± around 1.2 • 2"^® 

K[sth] + K[sth']Lo[d,\ + A[st/i"]Lii[3] J ^ 

For a few different keys we have tried (long computation on a PC) the bias 
was always strictly better than Matsui-11 that gives ^ — 1.91 • 2“^®. 

Remark: The best characteristics found by Matsui for 3 and 11 rounds [25] 
are closely related to those presented here: their difference is a biased Boolean 
function. BLC contains LC not only as a subset, but also as an extension allowing 
to strictly improve the best linear attacks on DES by adding higher degree 
monomials. 

B.3 Beyond Bi-linear Attacks: Using Cubic Equations 

We observed that, for 3 rounds, even better results can be achieved using cu- 
bic partially bi-linear characteristics, instead of quadratic bi-linear (**) from 
Proposition B.1.1. Our simulations show that, for an important fraction of keys: 

Lo[3, 8, 14, 25] © Lo[3]Ao[16, 17, 20]i?o[17, 18, 19, 20]© ) 

(* * *) L3[3, 8, 14, 25] © L3[3]A3[16, 17, 20]i?3[17, 18, 19, 20]© \ - - 1.82 • 2 ~^ 

Ao[17] © 7?3[17] = A[st/i] J 2 

The explanation why this works is quite similar. Though the non-linear part 
of this equation is not bi-linear, it is well correlated with a truly bi-linear func- 
tion: 

L[3]i?[16, 17, 20]i?[17, 18, 19, 20] = L[3]i?[16, 17, 20] with probability 7/8 

Unfortunately, the bias of (* * *) is worse for other keys. On average, the 
best bias we know for 3 rounds remains (**) from Proposition B.1.1. We also 
observed that that (* * *) works for any number of DES rounds and for any key, 
but again the results are not as good as with (**). 
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Abstract. We construct a short group signature scheme. Signatures 
in our scheme are approximately the size of a standard RSA signa- 
ture with the same security. Security of our group signature is based 
on the Strong Diffie-Hellman assumption and a new assumption in bilin- 
ear groups called the Decision Linear assumption. We prove security of 
our system, in the random oracle model, using a variant of the security 
definition for group signatures recently given by Bellare, Micciancio, and 
Warinschi. 



1 Introduction 

Group signatures, introduced by Chaum and van Heyst [14], provide anonymity 
for signers. Any member of the group can sign messages, but the resulting signa- 
ture keeps the identity of the signer secret. In some systems there is a third party 
that can trace the signature, or undo its anonymity, using a special trapdoor. 
Some systems support revocation [12,4,29, 15] where group membership can be 
selectively disabled without affecting the signing ability of unrevoked members. 
Currently, the most efficient constructions [2,12,4] are based on the Strong-RSA 
assumption introduced by Baric and Pfitzman [5]. 

In the last two years a number of projects have emerged that require the 
properties of group signatures. The first is the Trusted Computing effort [28] 
that, among other things, enables a desktop PC to prove to a remote party 
what software it is running via a process called attestation. Group signatures 
are needed for privacy-preserving attestation [17, Sect. 2.2]. Perhaps an even 
more relevant project is the Vehicle Safety Communications (VSC) system from 
the Department of Transportation in the U.S. [18]. The system embeds short- 
range transmitters in cars; these transmit status information to other cars in 
close proximity. For example, if a car executes an emergency brake, all cars in 
its vicinity are alerted. To prevent message spoofing, all messages in the system 
are signed by a tamper-resistant chip in each car. (MACs were ruled out for this 
many-to-many broadcast environment.) Since VSC messages reveal the speed 
and location of the car, there is a strong desire to provide user privacy so that 
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the full identity of the car sending each message is kept private. Using group 
signatures, where the group is the set of all cars, we can maintain privacy while 
still being able to revoke a signing key in case the tamper resistant chip in a car 
is compromised. Due to the number of cars transmitting concurrently there is a 
hard requirement that the length of each signature be under 250 bytes. 

The two examples above illustrate the need for efficient group signatures. 
The second example also shows the need for short group signatures. Currently, 
group signatures based on Strong-RSA are too long for this application. 

We construct short group signatures whose length is under 200 bytes that 
offer approximately the same level of security as a regular RSA signature of the 
same length. The security of our scheme is based on the Strong Diffie-Hellman 
(SDH) assumption [8] in groups with a bilinear map. We also introduce a new as- 
sumption in bilinear groups, called the Linear assumption, described in Sect. 3.2. 
The SDH assumption was recently used by Boneh and Boyen to construct short 
signatures without random oracles [8] . A closely related assumption was used by 
Mitsunari et al. [22] to construct a traitor-tracing system. The SDH assumption 
has similar properties to the Strong-RSA assumption. We use these properties 
to construct our short group signature scheme. Our results suggest that systems 
based on SDH are simpler and shorter than their Strong-RSA counterparts. 

Our system is based on a new Zero-Knowledge Proof of Knowledge (ZKPK) 
of the solution to an SDH problem. We convert this ZKPK to a group signature 
via the Fiat-Shamir heuristic [16] and prove security in the random oracle model. 
Our security proofs use a variant of the security model for group signatures 
proposed by Bellare, Micciancio, and Warinschi [6]. 

Recently, Camenisch and Lysyanskaya [13] proposed a signature scheme with 
efficient protocols for obtaining and proving knowledge of signatures on commit- 
ted values. They then derive a group signature scheme using these protocols as 
building blocks. Their signature scheme is based on the LRSW assumption [21], 
which, like SDH, is a discrete-logarithm-type assumption. Their methodology 
can also be applied to the SDH assumption, yielding a different SDH-based 
group signature. 

The SDH group signature we construct is very flexible and we show how to 
add a number of features to it. In Sect. 7 we show how to apply the revocation 
mechanism of Camenisch and Lysyanskaya [12]. In Sect. 8 we briefly sketch how 
to add strong exculpability. 

2 Bilinear Groups 

We first review a few concepts related to bilinear maps. We follow the notation 
of Boneh, Lynn, and Shacham [9]: 

1 . Gi and G2 are two (multiplicative) cyclic groups of prime order p; 

2. Pi is a generator of Gi and 52 is a generator of G2; 

3. Ip IS & computable isomorphism from G2 to Gi, with 'ip{g 2 ) = 9i', and 

4. e is a computable map e : Gi x G2 ^ Gt with the following properties: 

— Bilinearity: for all m G Gi, u G G2 and a, 6 G Z, e(w“, v^) = e{u, u)“^. 

— Non-degeneracy: e(pi,p2) 7^ 1- 
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Throughout the paper, we consider bilinear maps e : Gi x G2 — > Gt where 
all groups Gi,G2,Gt are multiplicative and of prime order p. One could set 
Gi = G2. However, we allow for the more general case where Gi ^ G2 so that 
our constructions can make use of certain families of non-supersingular elliptic 
curves defined by Miyaji et al. [23]. In this paper we only use the fact that Gi 
can be of size approximately 2 ™, elements in Gi are 171-bit strings, and that 
discrete log in Gi is as hard as discrete log in Z* where q is 1020 bits. We will 
use these groups to construct short group signatures. We note that the bilinear 
groups of Rubin and Silverberg [25] can also be used. 

We say that two groups (Gi,G2) as above are a bilinear group pair if the 
group action in Gi and G2, the map ■0, and the bilinear map e are all efficiently 
computable. 

The isomorphism 0 is only needed for the proofs of security. To keep the 
discussion general, we simply assume that ip exists and is efficiently computable. 
(When Gi, G2 are subgroups of the group of points of an elliptic curve E/¥q, the 
trace map on the curve can be used as this isomorphism. In this case, Gi C E(¥q) 
and G2 C S(FgO-) 



3 Complexity Assumptions 



3.1 The Strong DifRe- Heilman Assumption 

Let Gi , G2 be cyclic groups of prime order p, where possibly Gi = G2 . Let gi 
be a generator of Gi and 32 a generator of G2. Consider the following problem: 



q-Strong DifRe-Hellman Problem. The q-SDH problem in (Gi,G2) is de- 
fined as follows: given a, {q + 2)-tuple (51, 52 > 52 > 52^ \ Ets input, 

output a pair x) where x G Z*. An algorithm A has advantage e 

in solving q-SDH in (Gi,G2) if 



Pr 



A(5i, 52,52.---.52^ ^) = a;) > 



where the probability is over the random choice of 7 in Z* and the random 
bits of A. 



Definition 1. We say that the {qA,^)~SDH assumption holds in (Gi,G2) if 
no t-time algorithm has advantage at least e in solving the q-SDH problem in 

(Gi,G2). 

Occasionally we drop the t and e and refer to the q-SDH assumption rather 
than the (5, t, e)-SDH assumption. The q-SDH assumption was recently used by 
Boneh and Boyen [8] to construct a short signature scheme without random 
oracles. To gain confidence in the assumption they prove that it holds in generic 
groups in the sense of Shoup [27]. The q-SDH assumption has similar properties 
to the Strong-RSA assumption [5]. We use these properties to construct our 
short group signature scheme. 
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3.2 The Linear DifRe-Hellman Assumption 

With gi G Gi as above, along with arbitrary generators u, v, and ft- of Gi, 
consider the following problem: 

Decision Linear Problem in G^. Given u, v, ft, v^, ft'^ G Gi as input, out- 
put yes if a -|- 6 = c and no otherwise. 



One can easily show that an algorithm for solving Decision Linear in Gi gives 
an algorithm for solving DDH in Gi. The converse is believed to be false. That 
is, it is believed that Decision Linear is a hard problem even in bilinear groups 
where DDH is easy. More precisely, we define the advantage of an algorithm A 
in deciding the Decision Linear problem in G\ as 



Adv Linear_4 



Pr 



A{u, V, ft, u'’, ft““''*') = yes : u,v,h A- Gi,a,b '^p 



— Pr A{u, u, ft, v^, rj) = yes : u,v,h,r] ^ Gi,a,b ^ '^p 



The probability is over the uniform random choice of the parameters to A, and 
over the coin tosses of A. We say that an algorithm A (t, e)-decides Decision 
Linear in Gi if A runs in time at most t, and Adv Linear_4 is at least e. 



Definition 2. We say that the (t,e)- Decision Linear Assumption (LA) holds in 
Gi if no t-time algorithm has advantage at least e in solving the Decision Linear 
problem in Gi. 



In the full version of the paper we show that the Decision Linear Assumption 
holds in generic bilinear groups. 



Linear Encryption. The Decision Linear problem gives rise to the Linear 
encryption (LE) scheme, a natural extension of ElGamal encryption. Unlike 
ElGamal encryption. Linear encryption can be secure even in groups where a 
DDH-deciding algorithm exists. In this scheme, a user’s public key is a triple 
of generators u,v,h G Gf; her private key is the exponents x,y G Zp such that 
= yV = ft. To encrypt a message M G G\, choose random values a, 6 G Zp, and 
output the triple • ft“"''*'). To recover the message from an encryption 

(Ti, T 2 , Ts), the user computes T^/{Tf ■ T|). By a natural extension of the proof 
of security of ElGamal, LE is semantically secure against a chosen-plaintext 
attack, assuming Decision-LA holds. 



4 A Zero-Knowledge Protocol for SDH 

We are now ready to present the underlying building block for our group sig- 
nature scheme. We present a protocol for proving possession of a solution to 
an SDH problem. The public values are gi,u,v,h G G\ and g2,w G G2. Here 
w = g) for some (secret) j G Zp. The protocol proves possession of a pair 
(A,x), where A G Gi and x G Zp, such that = gi. Such a pair satisfies 

e(A, ) = e(gi, 32 )- We use a standard generalization of Schnorr’s protocol for 
proving knowledge of discrete logarithm in a group of prime order [26] . 
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R. 

Protocol 1. Alice, the prover, selects exponents a ,[3 ^ Zp, and computes a 
Linear encryption of A: 

Ti ^ T2 ^ T3 ^ Ah°‘+f^ . 

She also computes two helper values i 5 i ^ xa and 82 ^ x[ 3 . 

Alice and Bob then undertake a proof of knowledge of values {a, [ 3 , x, 81,82) 
satisfying the following five relations: 

= Ti = T2 

6(73,52)"^ • ■ e{h, g2)~^^~^^ = e{gi, 02) /e{T3,w) 

Tfw-'^i = 1 = 1 . 

This proof proceeds as follows. Alice picks blinding values r^, Tx, and 
at random from Zp. She computes five values based on all these: 

Ri ^ i?2 ^ 

R3 ^ e{T 3 ,g 2 )^^ ■e{h,w)-^---^ ■e{h,g2)-^^^-^^- 

Ri ^ i?5 ^ TJ" • . 

She then sends (Ti, T2, T3, i?i, i?2, i?3, i?4, i?s) to the verifier. Bob, the verifier, 
sends a challenge value c chosen uniformly at random from Zp. Alice computes 
and sends back Sq = + ca, sp = rp + cj 3 , Sx = Tx + cx, 55^ = + c8i, and 

SS2 = i~S2 + c<^2- Finally, Bob verifies the following five equations: 

= T= • Ri (1) 

■ R 2 (2) 

e{n,g2)-^^ ■ e{h,w)-^--^^ ■ e(/i, 52)-"^! = {e{gi,g2)/e{T3,w)Y ■ R3 ( 3 ) 

= Ri ( 4 ) 

= R5 . ( 5 ) 

Bob accepts if all five hold. 

Theorem 1 . Protocol 1 is an honest-verifier zero-knowledge proof of knowledge 
of an SDH pair under the Decision Linear assumption. 

The proof of the theorem follows from the following lemmas that show that 
the protocol is (1) complete (the verifier always accepts an interaction with 
an honest prover), ( 2 ) zero-knowledge (can be simulated), and ( 3 ) a proof of 
knowledge (has an extractor). 

Lemma 1 . Protocol 1 is complete. 

Proof. If Alice is an honest prover in possession of an SDH pair (A, x) she follows 
the computations specified for her in the protocol. In this case. 



^ ^r^+co. ^ ^ rj,c . ^ 
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SO ( 1 ) holds. For analogous reasons ( 2 ) holds. Further, 

SO ( 4 ) holds. For analogous reasons ( 5 ) holds. Finally, 
e{T3,g2y" • e(/i, 

= e(T 3 , 52 )"-+"" • • e(/i, 

= e{T3,g^r ■ eih-^^-ywg^r ■ {e{T3,g2Y- ■ ■ e{h,g2)-''^^-''^^) 

= eiTsh-^^-Ywg^r ■ e{T3,w)~^ ■ {R 3 ) 

= {e{A,wg^) / e{T3,w)Y ■ R3 = {e{gi, g2)/e{T3,w)y ■ R3 . 

so ( 3 ) holds. □ 

Lemma 2 . Transcripts of Protocol 1 can he simulated, under the Decision Lin- 
ear assumption. 

Proof. We describe a simulator that outputs transcripts of Protocol 1 . 

Pick A < 5 : and a,j 3 ^ 'Lp. Set Ti ^ m“, T2 ^ , and T3 ^ Ah°"^^ . 

Assuming the Decision Linear assumption holds on G\, the tuples (Ti,T2,T3) 
generated by the simulator are drawn from a distribution that is indistinguish- 
able from the distribution output by any particular prover. 

The remainder of this simulator does not assume knowledge of A, x, a, or / 3 , 
so it can also be used when Ti, T2, and T3 are pre-specified. When the pre- 
specified (Ti,T2,T3) are a random Linear encryption of some A, the remainder 
of the transcript is simulated perfectly. 

Now choose a challenge c Zp. Select Sa Zp, and set R\ ^ Tf/rt®". Then 
( 1 ) is satisfied. With a and c fixed, a choice for either of or Sq, determines 
the other, and a uniform random choice of one gives a uniform random choice 
of the other. Therefore Sa and Ri are distributed as in a real transcript. Choose 
and i?2 analogously. 

Select Sx, Sii, 5^2 ^ set R4 ^ and i?s ^ T2*u®®2 . Again, all 

the computed values are distributed as in a real transcript. Finally set 

R3 ^ e{T 3 ,g 2 r^ ■ ■ e(/i, • (e(T3, tc)/e(gi, 32))' • 

This i?3 satisfies ( 3 ), and it, too, is properly distributed. 

The transcript output is {Ti,T2,T3, Ri, R2, R3, R4, R5, c, Sa, sp, Sx, ss^, SS2). 
As argued above, this transcript is distributed identically to transcripts of Pro- 
tocol 1 , assuming the Decision Linear assumption holds. □ 

Lemma 3 . There exists an extractor for Protocol 1 . 

Proof. Suppose that an extractor can rewind a prover in the protocol above to 
the point just before the prover is given a challenge c. At the first step of the 
protocol, the prover sends Ti,T2,T3 and Ri, R2, R3, R4, R5. Then, to challenge 




Short Group Signatures 



47 



value c, the prover responds with Sa, Sfs, Sx, , and ss^ ■ To challenge value c' ^ 
c, the prover responds with s^, s'^, s'^, and If the prover is convincing, 
all five verification equations (1-5) hold for each set of values. 

For brevity, let Ac = c — c' , Asa = Sa — s'^, and similarly for Asjs, Asx, 
Ass -^ , and Ass^ . 

Now consider (1) above. Dividing the two instances of this equation, we 
obtain = T^'^. The exponents are in a group of known prime order, so we 
can take roots; let a = AsajAc. Then = Ti. Similarly, from (2), we obtain 
P = Asp! Ac such that = T-i. 

Consider (4) above. Dividing the two instances gives . Substi- 
tuting Ti = gives , or Ass^ = ctAsx- Similarly, from (5) we 

deduce that Ass^ = /3Asx- 

Finally, dividing the two instances of (3), we obtain 

{e{gi,92)/e{T3,w))‘^‘' = e(T3, • e(/i, • e(/i, 

= e(T3,g2)‘^"" • ■ 

Taking Z\c-th roots, and letting x = AsxjAc, we obtain 

e(5i,ff2)/e(T3,w) = e{T 3 ,g 2 T ■ e{h,w)~°‘~^ ■ e{h, ■ 

This can be rearranged as 

e(5i,52) = e(r3/i-“-^,u;5f) , 



or, letting A = T3/1 “ 



eiA.wgf) = e{gi,g2) ■ 

Thus the extractor obtains an SDH tuple {A,x). Moreover, the A in this SDH 
tuple is, perforce, the same as that in the Linear encryption □ 



5 SDH Signatures of Knowledge 

Armed with Theorem 1, we obtain from Protocol 1 a signature scheme secure in 
the random oracle model by applying the Fiat-Shamir heuristic [16]. Signatures 
obtained from a proof of knowledge via the Fiat-Shamir heuristic are often called 
signatures of knowledge. We use a variant of the Fiat-Shamir heuristic, used also 
by Ateniese et al. [2] , where the challenge c rather than the values R\, . . . ,R^ is 
transmitted in the signature; the output of the random oracle acts as a checksum 
for those values not transmitted. 

The signature scheme is defined as follows. The public key contains a hash 
function (viewed as a random oracle) H : {0, 1}* ^ Zp, groups G\ and G2 with 
respective generators g\ and 32 as in Sect. 2, the random generators u, v, and h 
of Gi, and w = g^ & G 2 , where 7 is chosen at random in Z*. The private key 
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is an SDH pair (H, x), i.e., a pair such that = g\. Any such pair is a valid 

private key. 

The signer signs a message M G {0, 1}* using the private key {A, x) as follows. 
She first undertakes the computation specified in the first round of Protocol 1 
to obtain Ti, T2, T3, i?i, i?2, i?3, i?4, i?s. She obtains the challenge c by giving M 
and her first-round values to the random oracle: 

c <— i?(M, Ti, T2, T3, i?i, i?2, i?3, .R4, As) G Zp . (6) 

She then undertakes the computation specified in the third round of the protocol 
using the challenge value c to obtain Sq., sp, s^, ss^, Finally, she outputs the 
signature cr, computed as 

^ ^ (^1 y ^2 7 T3, C, Sq. , Sx y ^62) ' (^) 

The verifier uses equations (1-5) to re-derive Ai, A 2 , A 3 , A 4 , and A 5 : 

Ai ^ ^ vyT2^ A4 ^ As ^ 

A3 ^ e(T 3 ,g 2 Y" ■ e(/i, • e(/i, 52)“®''!“^'’=' • {e{T 3 ,w) /e{gi, g2)Y ■ 

He then checks that these, along with the other first-round messages included 
in cr, give the challenge c, i.e., that 

c = A(M, Ti, T2, T3, Ai, A2, As) .R4, As) . (8) 

He accepts if this check succeeds. 

The Fiat-Shamir heuristic shows that this signature scheme is secure against 
existential forgery in the random oracle model [1]. Note that a signature com- 
prises three elements of Gi and six of Zp. 

6 Short Group Signatures from SDH 

The signature scheme presented in Sect. 5 is, in fact, also a group signature 
scheme. In describing the scheme, we follow the definitions given by Bellare 
et al. [6]. 

Consider bilinear groups Gi and G2 with respective generators gi and g2, 
as in Sect. 2. Suppose further that the SDH assumption holds on (Gi,G2), 
and the Linear assumption holds on Gi. The scheme employs a hash function 
H : {0, 1}* ^ Zp, treated as a random oracle in the proof of security. 

KeyGen{n). This randomized algorithm takes as input a parameter n, the 

R. 

number of members of the group, and proceeds as follows. Select h ^ Gi\ 
{1 g^} and ^1,^2 ^ Zp, and set u,v G Gi such that = h. Select 

7 Zp, and set w = gY Using 7, generate for each user z, 1 < f < n, 

an SDH tuple (Ai,Xi): select Xi Z*, and set Ai ^ The group 

public key is gpk= (51,52, h,u,v,w). The private key of the group manager 
(the party able to trace signatures) is gmsk = (^ 1 , 7 ^ 2 )- Each user’s private 
key is her tuple g'sk[z] = (Ai, Xi). No party is allowed to possess 7; it is only 
known to the private- key issuer. 
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Sign{gpk, gsk[i], M). Given a group public key gpk = (gi, g2,h,u,v,w), a 
user’s key gsk[i] = (Ai,Xi), and a message M G {0, 1}*, compute and out- 
put a signature of knowledge cr = {T\,T2,T^t c, Sa, Sf}, Sx, ss^) as in the 
scheme of Sect. 5 (Equation (7)). 

Verify{gpk, M, cr). Given a group public key gpk = {gi,g2, h, u, v,w), a mes- 
sage M, and a group signature cr, verify that cr is a valid signature of knowl- 
edge in the scheme of Sect. 5 (Equation (8)). 

Open{gpk, gmsk, M, cr). This algorithm is used for tracing a signature to a 
signer. It takes as input a group public key gpk = {gi,g2,h^u,v,w) and 
the corresponding group manager’s private key gmsk = (^ 1 ,^ 2 )) together 
with a message M and a signature cr = {Ti,T2,T^,c, Sa, sp, Sx, ss-^ ss^) to 
trace, and proceeds as follows. First, verify that cr is a valid signature on M . 
Second, consider the first three elements {T\,T2,T^) as a Linear encryption, 
and recover the user’s A as A ^ T 3 /(T^^ • T^'^), following the decryption 
algorithm given at the end of Sect. 3.2. If the group manager is given the 
elements {A^} of the users’ private keys, he can look up the user index 
corresponding to the identity A recovered from the signature. 

Signature Length. A group signature in the system above comprises three ele- 
ments of G\ and six elements of Zp. Using any of the families of curves described 
in [9], one can take p to be a 170-bit prime and use a group G\ where each ele- 
ment is 171 bits. Thus, the total group signature length is 1533 bits or 192 bytes. 
With these parameters, security is approximately the same as a standard 1024- 
bit RSA signature, which is 128 bytes. 

Performance. The pairings e{h,w), e{h,g2), and e{g\,g2) can be precomputed 
and cached by both signers and verifiers. The signer can cache e(A, (72), and, when 
signing, compute e{T^,g2) without evaluating a pairing. Accordingly, creating a 
group signature requires eight exponentiations (or multi-exponentiations) and 
no pairing computations. The verifier can derive efficiently by collapsing the 
e(T 3 , 52)®® and e{T^, w)‘^ pairings into a single e(T 3 , w'^g^'^) term. Thus verifying a 
group signature requires six multi-exponentiations and one pairing computation. 
With parameters selected as above, the exponents are in every case 170-bit 
numbers. For the signer, all bases for exponentiation are fixed, which allows 
further speedup by precomputation. 

6.1 Group Signature Security 

We now turn to proving security of the system. Bellare et al. [6] give three 
properties that a group signature scheme must satisfy: 

— correctness, which ensures that honestly-generated signatures verify and 
trace correctly; 

— full-anonymity, which ensures that signatures do not reveal their signer’s 
identity; and 

— full-traceability, which ensures that all signatures, even those created by the 
collusion of multiple users and the group manager, trace to a member of the 
forging coalition. 
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For the details of the definitions, see Bellare et al. [6]. We prove the security 
of our scheme using a variation of these properties. In our proofs, we relax the 
full-anonymity requirement. As presented [6, Sect. 2], the full-anonymity exper- 
iment allows the adversary to query the opening (tracing) oracle before and 
after receiving the challenge a. In this respect, the experiment mirrors the indis- 
tinguishability experiment against an adaptive CCA2 adversary. We therefore 
rename this experiment CCA2-full-anonymity. We define a corresponding exper- 
iment, CPA-full-anonymity, in which the adversary cannot query the opening 
oracle. We prove privacy in this slightly weaker model. 

Access to the tracing functionality will likely be carefully controlled when 
group signatures are deployed, so CPA-full-anonymity is a reasonable model to 
consider. In any case, anonymity and unlinkability, the two traditional group 
signature security requirements implied by full anonymity [6, Sect. 3], also fol- 
low from CPA-full-anonymity. Thus a fully-traceable and CPA-fully-anonymous 
group signature scheme is still secure in the traditional sense. 

In the statements of the theorem, we use big-O notation to elide the specifics 
of additive terms in time bounds, noting that, for given groups G\ and G 2 , 
operations such as sampling, exponentiation, and bilinear map evaluation are all 
constant-time. 

Theorem 2. The SDH group signature scheme is correct. 

Proof. For any group public key gpk = (gi,g 2 , h, u, v, w), and for any user with 
key g’sk[z] = (Ai,Xi), the key generation algorithm guarantees that = 

gi, so (Ai,Xi) is an SDH tuple for w = gf. A correct group signature cr is a 
proof of knowledge, which is itself a transcript of the SDH protocol given in 
Sect. 4. Verifying the signature entails verifying that the transcript is correct; 
thus Lemma 1 shows that cr will always be accepted by the verifier. 

Moreover, an honest signer outputs, as the first three components of any 
signature a, values (Ti,T 2 ,T 3 ) = {u°‘,v^,Ai ■ for some a,/3 G Zp. These 

values form a Linear encryption of Ai under public key (u, v, h), which the group 
manager, possessing the corresponding private key (■Ci)'C 2 )) can always recover. 
Therefore any valid signature will always be opened correctly. □ 

Theorem 3. If Linear encryption is {t' ,e')- semantically secure on G\ then the 
SDH group signature scheme is {t, q„, e)- CPA-fully-anonymous, where e = e' and 
t = t' — q„0{l). Here qn is the number of hash function queries made by the 
adversary and n is the number of members of the group. 

Proof. Suppose A is an algorithm that (t, e)-breaks the anonymity of the 
group signature scheme. We show how to construct a t-|-(?HO(l)-time algorithm B 
that breaks the semantic security of Linear encryption (Sect. 3.2) with advantage 
at least e. 

Algorithm B is given a Linear encryption public key (u, v, h). It generates the 
remaining components of the group signature public key by following the group 
signature’s key generation algorithm. It then provides to A the group public 
key {gi, g 2 ,h,u,v,w), and the users’ private keys (Ai,Xi). 
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At any time, A can query the random oracle H . Algorithm B responds with 
elements selected uniformly at random from Zp, making sure to respond identi- 
cally to repeated queries. 

Algorithm A requests its full- anonymity challenge by providing two indices, 
zq and zi, and a message M . Algorithm B, in turn, requests its indistinguishabil- 
ity challenge by providing the two user private keys and Ai^ as the messages 
whose Linear encryption it must distinguish. It is given a Linear encryption 
(Ti,T 2,T3) of Aif^, where bit b is chosen by the Linear encryption challenger. 

Algorithm B generates from this Linear encryption a protocol transcript 
(Ti, T2, Ts, R\, R2, Ra, R5, c, Sa,si3,Sx, Sij , SS 2 ) by means of the simulator of 
Lemma 2. This simulator can generate a trace given (Ti,T 2 ,Ts), even though B 
does not know a, (3, or x. Since {Ti^T 2 ,Tz) is a random Linear encryption of 
the remainder of the transcript is distributed exactly as in a real protocol 
with a prover whose secret A is A^^ . 

Algorithm B then patches H at (M, Ti, T2, Z3, i?i, i?2, R3, Ra, R5) to equal c. 
It encounters a collision only with negligible probability. In case of a collision, 
B declares failure and exits. Otherwise, it returns the valid group signature 
(J ^ (^1 5 3^2 , Z3? C, Sa , S/3 5 Sxj , S^2 ) tO A. 

Finally, A outputs a bit b'. Algorithm B returns b' as the answer to its own 
challenge. Since the encryption of A^^ is turned by B into a group signature by 
user if,, B answers its challenge correctly whenever A does. 

The keys given to A, and the answers to A’s queries, are all valid and properly 
distributed. Therefore A succeeds in breaking the anonymity of the group signa- 
ture cr with advantage e, and B succeeds in distinguishing the Linear encryption 
(Ti,T 2 ,T 3 ) with the same advantage. 

Algorithm B's running time exceeds A’s by the amount it takes to answer 
A’s queries. Each hash query can be answered in constant time, and there are at 
most Qh of them. Algorithm B can also create the challenge group signature a 
in constant time. If A runs in time t, B runs in time t + qHO{l). □ 

The following theorem proves full traceability of our system. The proof is 
based on the forking lemma [24] and is given in the full version of the paper. 
Theorem 4. If SDH is {q, t' , e')-hard on (Gi, G2), then the SDH group signature 
scheme is {t,q„,qs,n,€)-fully-traceable, where n = q — 1, e = 4n\/2e'qH + njp, 
and t = G(l) • t' . Here qa is the number of hash function queries made by the 
adversary, qs is the number of signing queries made by the adversary, and n is 
the number of members of the group. 

7 Revocation 

We now discuss how to revoke users in the SDH group signature scheme of 
Sect. 6. A number of revocation mechanisms for group signatures have been 
proposed [4,12]. All these mechanisms can be applied to our system. Here we 
describe a revocation mechanism along the lines of [12]. 

Recall that the group’s public key in our system is {g\,g 2 ,h,u,v,w) where 
w = gf € G 2 for random 7 G Z* and random h,u,v G Gi. User z’s private key 

is a pair (Ai,Xi) where Aj = g 
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Now, suppose we wish to revoke users 1 , . . . , r without affecting the signing 
capability of other users. To do so, the Revocation Authority (RA) publishes 
a Revocation List (RL) containing the private keys of all revoked users. More 
precisely, RL = {{A\,x\), . . . , {A*,Xr)}, where A* = G G2. Note that 

Ai = ^l){A*). Here the SDH secret 7 is needed to compute the A*’s. In the case 
where Gi equals G2 then Ai = A* and consequently the Revocation List can be 
derived directly from the private keys of revoked users without having to use 7. 

The list RL is given to all signers and verifiers in the system. It is used to 
update the group public key used to verify signatures. Let y = nLi(7 + Xi) G 
Z*. The new public key is (gi,g2,h,u,v,w) where gi = g\^^, §2 = 9 ^^ 1 &nd 
w = {92V ■ We show that, given RL, anyone can compute this new public key, 
and any unrevoked user can update her private key locally so that it is well 
formed with respect to this new public key. Revoked users are unable to do so. 

We show how to revoke one private key at a time. By repeating the process r 
times (as the revocation list grows over time) we can revoke all private keys on 
the Revocation List. We first show how given the public key {91, 92, h,u,v,w) 
and one revoked private key {A\,x\) G RL anyone can construct the new public 
key {9i,92,h,u,v,w) where gi = (92 = and w = {92V. This 

new public key is constructed simply as: 



gi^^l){Al) 92 ^A\ and w ^ 92 ■ {A\) ; 

then gi = ^p{Ai)* = and w = g2- (Al)-^^ = g\ = (32)^, 

as required. 

Next, we show how unrevoked users update their own private keys. Con- 
sider an unrevoked user whose private key is (A,x). Given a revoked private 
key, (A*,a;i) the user computes A ^ ^(A*)^/(a:-a:iy^i/(a:-a:i) and sets his new 
private key to be {A,x). Then, indeed. 



= '(/'(A*) 



m*i) 



(-Y + X-] ) + (a:-a:i ) . _ 

/<?! 



_1 

-XI 



i’{A*i) = gi , 



as required. Hence, (A, x) is a valid private key with respect to (51, 52, h, u, v, w). 

By repeating this process r times (once for each revoked key in RL) anyone 
can compute the updated public key {gi,g2,h,u,v,w) defined above. Similarly, 
an unrevoked user with private key (A, x) can compute his updated private key 
{A,x) where A = We note that it is possible to process the entire 

RL at once (as opposed to one element at a time) and compute {gi,g2, h, u, v, w) 
directly; however this is less efficient when keys are added to RL incrementally. 

A revoked user cannot construct a private key for the new public key {g\, g2, h, 
u, V, w). In fact, the proof of Theorem 4 shows that, if a revoked user can generate 
signatures for the new public key (gi,g2,h,u,v,w), then that user can be used 
to break the SDH assumption. Very briefly, the reason is that given an SDH 
challenge one can easily generate a public key tuple (ffi, 32, h, u, v, w) along with 
the private key for a revoked user x). Then an algorithm that can forge 

signatures given these two tuples can be used to solve the SDH challenge. 
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Brickell [11] proposes an alternate mechanism where revocation messages are 
only sent to signature verifiers, so that there is no need for unrevoked signers to 
update their keys. Similar mechanisms were also considered by Ateniese et al. [4] 
and Kiayias et al. [19]. We refer to this as Verifier-Local Revocation (VLR) group 
signatures. Boneh and Shacham [10] show how to modify our group signature 
scheme to support this VLR revocation mechanism. 

8 Exculpability 

In Bellare et al. [6], exculpability (introduced by Ateniese and Tsudik [3]) is 
informally defined as follows: No member of the group and not even the group 
manager - the entity that is given the tracing key - can produce signatures on 
behalf of other users. Thus, no user can be framed for producing a signature 
he did not produce. They argue that a group signature secure in the sense of 
full-traceability also has the exculpability property. Thus, in the terminology of 
Bellare et al. [6], our group signature has the exculpability property. 

A stronger notion of exculpability is considered in Ateniese et al. [2], where 
one requires that even the entity that issues user keys cannot forge signatures 
on behalf of users. Formalizations of strong exculpability have recently been 
proposed by Kiayias and Yung [20] and by Bellare, Shi, and Zhang [7]. 

To achieve this stronger property the system of Ateniese et al. [2] uses a 
protocol (called JOIN) to issue a key to a new user. At the end of the protocol, 
the key issuer does not know the full private key given to the user and therefore 
cannot forge signatures under the user’s key. 

Our group signature scheme can be extended to provide strong exculpabil- 
ity using a similar mechanism. Instead of simply giving user i the private key 
, Xi), the user and key issuer engage in a JOIN protocol where at the end 
of the protocol user i has a triple (Ai,Xi,yi) such that = gi for some 

public parameter h\. The value yi is chosen by the user and is kept secret from 
the key issuer. The ZKPK of Sect. 4 can be modified to prove knowledge of such a 
triple. The resulting system is a short group signature with strong exculpability. 

9 Conclusions 

We presented a group signature scheme based on the Strong Diffie-Hellman 
(SDH) and Linear assumptions. The signature makes use of a bilinear map 
e : Gi X G2 ^ Gt- When any of the curves described in [9] are used, the 
group Gi has a short representation and consequently we get a group signature 
whose length is under 200 bytes - less than twice the length of an ordinary RSA 
signature (128 bytes) with comparable security. Signature generation requires no 
pairing computations, and verification requires a single pairing; both also require 
a few exponentiations with short exponents. 
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Abstract. We propose a new and efficient signature scheme that is prov- 
ably secure in the plain model. The security of our scheme is based on a 
discrete-logarithm-based assumption put forth by Lysyanskaya, Rivest, 

Sahai, and Wolf (LRSW) who also showed that it holds for generic groups 
and is independent of the decisional Diffie-Hellman assumption. We prove 
security of our scheme under the LRSW assumption for groups with bi- 
linear maps. We then show how our scheme can be used to construct 
efficient anonymous credential systems as well as group signature and 
identity escrow schemes. To this end, we provide efficient protocols that 
allow one to prove in zero-knowledge the knowledge of a signature on a 
committed (or encrypted) message and to obtain a signature on a com- 
mitted message. 

1 Introduction 

Digital signatures schemes, invented by Diffie and Heilman [20], and formalized 
by Goldwasser, Micali and Rivest [26], not only provide the electronic equivalent 
of signing a paper document with a pen but also are an important building block 
for many cryptographic protocols such as anonymous voting schemes, e-cash, and 
anonymous credential schemes, to name just a few. 

Signature schemes exists if and only if one-way functions exist [32, 35]. How- 
ever, the efficiency of these general constructions, and also the fact that these 
signature schemes require the signer’s secret key to change between invocations 
of the signing algorithm, makes these solutions undesirable in practice. 

Using an ideal random function (this is the so-called random-oracle model), 
several, much more efficient signature schemes were shown to be secure. Most 
notably, those are the RSA [34], the Fiat-Shamir [21], and the Schnorr [36] 
signature schemes. However, ideal random functions cannot be implemented in 
the plain model [13, 25] , and therefore in the plain model, these signature schemes 
are not provably secure. 

Over the years, many researchers have come up with signature schemes that 
are efficient and at the same time provably secure in the plain model. The most 
efficient ones provably secure in the standard model are based on the strong RSA 
assumption [23, 19,22, 10]. However, no scheme based on an assumption related 
to the discrete logarithm assumption in the plain (as opposed to random-oracle) 
model comes close to the efficiency of these schemes. 

M. Franklin (Ed.): CRYPTO 2004, LNCS 3152, pp. 56-72, 2004. 

@ International Association for Cryptologic Research 2004 
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In this paper, we propose a new signature scheme that is based on an assump- 
tion introduced by Lysyanskaya, Rivest, Sahai, and Wolf [30] and uses bilinear 
maps. This assumption was shown to hold for generic groups [30], and be in- 
dependent of the decisional Diffie-Hellman assumption. Our signature scheme’s 
efficiency is comparable to the schemes mentioned above that are based on the 
Strong RSA assumption. 

We further extend our basic signature scheme such that it can be used as a 
building block for cryptographic protocols. To this end, we provide protocols to 
prove knowledge of a signature on a committed message and to obtain a signa- 
ture on a committed message. These protocols yield a group signature scheme 
[17] or an anonymous credential system [14] (cf. [10]). That is, we obtain the 
first efficient and secure credential system and group signature/identity escrow 
schemes [28] that are based solely on discrete-logarithm-related assumptions. 
We should mention that an anonymous credential system proposed by Verheul 
[38] is also only based on discrete logarithm related assumptions; however, the 
scheme is not proven secure. Also note that the recent scheme by Ateniese and de 
Medeiros [2] requires the strong RSA assumption although no party is required 
to know an RSA secret key during the operation of the system. 

Note that not only are our group signature and anonymous credential schemes 
interesting because they are based on a different assumption, but also because 
they are much more efficient than any of the existing schemes. All prior schemes 
[1,9, 10,2] required proofs of knowledge of representations over groups modulo 
large moduli (for example, modulo an RSA modulus, whose recommended length 
is about 2K Bits). 

Recently, independently from our work, Boneh and Boyen [4] put forth a 
signature scheme that is also provably secure under a discrete-logarithm-type 
assumption about groups with bilinear maps. In contrast to their work, our 
main goal is not just an efficient signature scheme, but a set of efficient pro- 
tocols to prove knowledge of signatures and to issue signatures on committed 
(secret) messages. Our end goal is higher-level applications, i.e., group signature 
and anonymous credential schemes that can be constructed based solely on an 
assumption related to the discrete logarithm assumption. 

In another recent independent work, Boneh, Boyen, and Shacham [5] con- 
struct a group signature scheme based on different discrete-logarithm-type as- 
sumptions about groups with bilinear pairings. Their scheme yields itself to the 
design of a signature scheme with efficient protocols as well. In §5 we describe 
their scheme and its connection to our work in more detail. 

Outline of the Paper. In §2 we give our notation and some number-theoretic 
preliminaries, including bilinear maps and the LRSW assumption. In §3, we 
give our signature scheme and prove it secure. In §4 we show how our signature 
yields itself to the design of an anonymous credential system: we give protocols 
for obtaining a signature on a committed value, and for proving knowledge of a 
signature on a committed value. In the end of that section, we show how to realize 
a group signature scheme based on our new signature. Finally, in Section 5, we 
show that the scheme of Boneh, Boeyn and Shacham can be extended so that 
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a signature scheme with efficient protocols, similar to the one we describe in 
Sections 3 and 4 can be obtained based on their assumptions as well. 



2 Preliminaries 

We use notation introduced by Micali [31] (also called the GMR notation), and 
also notation introduced by Camenisch and Stadler [12] . Here we review it briefly; 
the complete description can be found in the full version [CL04] of this paper. 

If A is an algorithm, and 6 be a Boolean function, then by (y ^ : b{y)), 

we denote the event that b{y) = 1 after y was generated by running A on input x. 
By HO(-), we denote a Turing machine that makes queries to an oracle O. By 
Q = Q{A^{x)) ^ A^{x) we denote the contents of the query tape once A 
terminates, with oracle O and input x. 

A function v(k) is negligible if for every positive polynomial p(-) and for 
sufficiently large k, v{k) < 

Camenisch and Stadler[12] introduced notation for various proofs of knowl- 
edge of discrete logarithms and proofs of the validity of statements about discrete 
logarithms. For instance, 

PK{{a, /?, 7) :y = g°‘h^ A y = g°"h^ A {u < a < f)} 

denotes a “zero-knowledge Proof of Knowledge of integers a, (3, and 7 such that 
y = g°"h^ and y = g°"h~^ holds, where u < a < w,” where y, g,h,y,g, and h are 
elements of some groups G = (g) = (h) and G = (g) = (h). The convention 
is that Greek letters denote quantities the knowledge of which is being proved, 
while all other parameters are known to the verifier. We will sometimes apply 
the Fiat-Shamir heuristic to turn such a proof into a signature on a message m, 
which we will denote as, e.g., SPK{{a) : y = g“}(m). 

We also use the standard definition of a digital signature scheme [26] . 



2.1 Number-Theoretic Preliminaries 

We now describe some number-theoretic preliminaries. Suppose that we have 
a setup algorithm Setup that, on input the security parameter 1^, outputs the 
setup for G = {g) and G = (g), two groups of prime order q = 0{2^) that have a 
non-degenerate efficiently computable bilinear map e. More precisely: We assume 
that associated with each group element, there is a unique binary string that 
represents it. (For example, if G = Z*, then an element of G can be represented 
as an integer between 1 and p — 1.) Following prior work (for example, Boneh 
and Franklin [6]), e is a function, e : G x G ^ G, such that 

— (Bilinear) For all P,Q & G, for all a,b gZ, e(P“, Q^) = e{P, QY^ . 

— (Non-degenerate) There exists some P,Q G G such that e(P, Q) Y where 
1 is the identity of G. 

— (Efficient) There exists an efficient algorithm for computing e. 
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We write: {q, G,G, g,g,e) ^ Setup{l'^). It is easy to see, from the first two 
properties, and from the fact that G and G are both of the same prime order q, 
that whenever 5 is a generator of G, g = e{g, g) is a generator of G. 

Such groups, based on the Weil and Tate pairings over elliptic curves (see 
Silverman [37]), have been extensively relied upon in cryptographic literature 
over the past few years (cf. [27,6,7,24] to name a few results). 

Further, we make the following assumption about the groups G and G. 

Assumption 21 (LRSW Assumption) Suppose that G = (g) is a group cho- 
sen by the setup algorithm Setup. Let X,Y € G, X = g^ , Y = g^ . Let Ox,y{-) 
be an oracle that, on input a value m € Z^, outputs a triple A = {a,a^ 
for a randomly chosen a. Then for all probabilistic polynomial time adversaries 
Ar , v{k) defined as follows is a negligible function: 

Pr[(g, G, G, g, g, e) ^ Setup{l% x ^ Zq;y ^ X = g^; Y = g^; 

{m,a,b,c) ^ {q, G,G, g,g,e, X,Y) : m^Q A toGZ^A 

A myfOA aeG A b = aT A c = = v{k) , 



where Q is the set of queries that A made to Ox,y{')- 

This assumption was introduced by Lysyanskaya et al. [30], and considered 
for groups that are not known to admit an efficient bilinear map. It was also 
shown, in the same paper, that this assumption holds for generic groups. It is 
not hard to see that the proof carries over to generic groups G and G with a 
bilinear map between them. 



3 Three Signature Schemes 

First, we present a simple signature scheme (Scheme A) and prove it secure under 
the LRSW assumption. Then, we modify this scheme to get signature schemes 
that lend themselves more easily to the design of efficient protocols for issuing 
a signature on a committed value and proving knowledge of a signature on a 
committed value. The first generalization will allow to sign such that the signa- 
ture produced is independent of the message (Scheme B), which we generalize 
further into a scheme that allows to sign blocks of messages (Scheme C). 

Schemes A and B are, in fact, special cases of Scheme C. So we really propose 
just one new signature scheme, namely Scheme C. Schemes A and B are just 
steps that simplify our presentation by making it more modular. 

3.1 Scheme A: A Simple Signature Scheme 

The signature scheme consists of the following algorithms: 

Key generation. The key generation algorithm runs the Setup algorithm in 
order to generate (g, G, G, g, g, e). It then chooses a; <— Zg and y ^ Zq, and 
sets sk = {x, y), pk = (g, G, G, g, g, e, X, T), where X = g^ and Y = g^ . 
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Signature. On input message m, secret key sk = (x,y), and public key pk = 
{q, G,G, g,g,e, X,Y), choose a random a € G, and output the signature 
cr = (a,ay,a^+"^^y). 

Verification. On input pk = {q, G, G, g, g, e, X, Y), message m, and purported 
signature a = (a, b, c), check that the following verification equations hold. 

e{a,Y) = e{g,b) and e{X,a) ■ e{X,b)"^ = e{g,c) . ( 1 ) 

Theorem 1. Signature Scheme A described above is correct and secure under 
the LRSW assumption. 

Proof. We first show correctness. The first verification equation holds as e(a, F)= 
e(a, g)y = e{g, a)^ = e{g, b) and the second one holds because e(V, a)-e{X, 6)™ = 
e(g, ar ■ e(g, = e{g, = e(g, c). 

We now show security. Without loss of generality, let g = e{g,g). 

Consider the adversary interacting with the signer and outputting a valid 
signature cr on some message m that he did not query for. It is clear that the 
signer acts the same way as the oracle Ox,y defined in the LRSW assumption. 
Therefore, in order to prove security, we must show that the forgery a = (a, 6, c) 
that passes the verification equations, must be of the form (*) b = ay and (**) 

g _ ^x+mxy 

Let a = g'^ , b = gl^ , c = g'^ . So, we wish to show that fi/a = y, and that 
y/a = a; + mxy. 

From the first verification equation and the bilinearity of e, we get that 

g“^ = e{g,g)°^y = e{a,Y) = e{g,b) = e{g,g)^ = . 

As g is a generator of G, we can take the logarithm base g on both sides, and 
obtain ay = (d mod q, which gives us (*) as desired. 

From the second verification equation, using the above, and, again, the fact 
that g is a generator: 



e{X,a)-e{X,br = e{g,c) 
e{g,gT^e{g,gr^^ = e{g,gr 
xa + mxfd = a{x + mxy) = 7 . 



3.2 Scheme B: Where Signature Is Independent of the Message 

For constructing anonymous credentials, we need a signature scheme where the 
signature itself is distributed in a way that is information-theoretically indepen- 
dent of the message m being signed. In essence, what is being signed should be 
an information-theoretically secure commitment (Pedersen commitment) of the 
message. Thus, we modify Scheme A and obtain Scheme B as follows: 

Key generation. Run the Setup algorithm to generate {q, G, G, g, g, e). Choose 
X <— Zg, y ^ Zq, z ^ Zg. Let X = g^ , Y = gy and Z = g^. Set sk = {x, y, z), 
pk = {q, G, G, g, g, e, A, Y, Z). 
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Signature. On input message (m,r), secret key sk = (x,y,z), and public key 
pk = {q, G, G, g, g, e, X, Y, Z) do: 

— Choose a random a ^ G. 

— Let A = a^. 

- Let b = ay, B = . 

- Let c= 

Output a = (a, A, b, B, c). 

Verification. On input pk = {q, G, G, g, g, e, X, Y, Z), message (m, r), and pur- 
ported signature cr = (a, A, b, B, c), check the following: 

1. A was formed correctly: e(a,Z) = e(g,A). 

2. b and B were formed correctly: e{a,Y) = e{g,b) and e{A,Y) = e{g,B). 

3. c was formed correctly: e{X, a) ■ e{X, 5)"* • e{X, BY = e{g, c). 

Note that the values (g"^Z^,a,A,b,B,c) are information-theoretically inde- 
pendent of m if r is chosen randomly. This will become crucial when using this 
signature scheme in the context of an anonymous credential system. 

Theorem 2. Signature Scheme B described above is correct and secure under 
the LRSW assumption. 

The full proof of this theorem is found in the full version [CL04] of this paper. 
Here we give a sketch. Correctness follows by inspection. To show security, we 
consider two types of forgery. Type 1 forgery is on some message (m, r) such 
that for all previously queried (mi,ri) we have g™Z~^ Y g'^' Z'^S Type 2 forgery 
is when this is not the case. 

The existence of Type-1 forger contradicts the LRSW assumption by reduc- 
tion from Signature Scheme A. On input a public key pk = {q, G, G, g, g, e, X, Y) 
for Scheme A, our reduction forms a public key pk = {q, G,G, g,g,e,X,Y, Z) 
for Scheme B by choosing z ^ Zq and setting Z = g^. It then runs the forger 
on input pk' , and answers signature queries of the form (mi, Vi) by transforming 
them into queries m( = mi -I- riZ mod q for the signature oracle for Scheme A. 
It is easy to see that a Type 1 forgery on (m, r) constitutes a successful forgery 
for the message m' = m + rz in Scheme A. 

The existence of Type-2 forger contradicts the discrete logarithm assumption 
(and therefore the LRSW assumption). The reduction takes as input {q, G, G, g, 
g,e,Z), and sets up the public key for the signature scheme by choosing X and 
Y. It then runs the forger, answers all the signature queries (since it generated 
X and Y itself) and obtains a Type-2 forgery, namely {m,r), {mi,ri) such that 
gmzr — for some i. This immediately gives the discrete logarithm of Z 

to the base g. 

3.3 Scheme C: For Blocks of Messages 

Scheme B allows us to generate a signature on m in such a way that the signature 
itself reveals no information about m. Namely, one can choose a random r and 
sign (m, r) using Scheme B. In general, however, there is no reason that we should 
limit ourselves to pairs (m, r) when signing. In fact, the construction of Scheme 




62 



Jan Camenisch and Anna Lysyanskaya 



B can be generalized to obtain Scheme C which can sign tuples . . . , 

i.e., blocks of messages. 

Scheme C consists of the following algorithms: 

Key generation. Run the Setup algorithm to generate {q, G, G, g, g, e). Choose 
X ^ Zq, y ^ Zq, and for 1 < z < t', 2 ^ ^ Z^. Let X = g^,Y = g^ and, for 1 < 
i<e, Z, = g^'. Set sk = {x,y,zi, . . .,ze), pk = {q, G,G, g,g,e, X,Y,{Z,}). 
Signature. On input message secret key sk = {x,y, 

zi,..., Zi), and public key pk = (g, G, G, g, g, e, X, Y, {Zi}) do: 

— Choose a random a ^ G. 

— Let Ai = for 1 < i < i. 

- Let b = ay, B, = (A,)y. 

- Let c = nti 

Output a = (a, {Aj},6, {Rj,c). 

Verification. On input pk = {q, G,G, g,g,e, X,Y, {Zi}), message , 

and purported signature a = (a, {Ai}, b, {Bi}, c), check the following: 

1. {Ai} were formed correctly: e{a,Zi) = e{g,Ai). 

2. b and {Bi} were formed correctly: e{a,Y) = e{g,b) and e{Ai,Y) = 
e{g,Bi). 

3. c was formed correctly: e{X, a) ■ e{X, • 0^=1 Bi)^^'^ = e{g, c). 

The proof that this scheme is secure and correct is deferred to Corollary 1. 

4 Anonymous Credential System 
and Group Signature Scheme 

Following Camenisch and Lysyanskaya [10,29], in order to construct an anony- 
mous credential system, it is sufficient to exhibit a commitment scheme, a sig- 
nature scheme, and efficient protocols for (1) proving equality of two committed 
values; (2) getting a signature on a committed value (without revealing this value 
to the signer); and (3) proving knowledge of a signature on a committed value. 
We provide all these tools in this section. 

Constructing a group signatures scheme or identity escrow scheme addition- 
ally requires an encryption scheme that is secure against adaptively chosen ci- 
phertext attacks and a protocol that a committed value is contained in a cipher- 
text (cf. [12,3,11]). Camenisch and Shoup provide an encryption scheme and 
such a protocol [1 1] . However, in our case we could also use the Cramer-Shoup 
encryption scheme [18], provided that the order of the group over which encryp- 
tion is carried out is the same as the order of the group over which our signature 
scheme is constructed. This will allow for a more efficient proof that a ciphertext 
contains information to identify a group member and thus a more efficient group 
signatures/identity escrow scheme. We will describe the details of this in §4.4. 

The reason that our new signature schemes are particularly suitable for the 
credential scheme application, is the fact that, given one signature on a given 
message, it is easy to generate another one. Consider Signature Scheme A. From 
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a signature a = (a, b, c) on message m, it is very easy to compute a different 
signature a = (a, b, c) on the same message m: just choose a random r G Zq and 
let d = a'’, 6 = 6 ’’, c = c’’. This alone is, of course, not sufficient, but this already 
shows the way in which the pieces of our credential scheme will fall into place. 



4.1 The Relevant Commitment Scheme 

Recall the Pedersen commitment scheme [33]: given a group G of prime order 
q with generators g and h, a commitment to x G Zq is formed by choosing 
a random r <— Zg and setting the commitment C = . This commitment 

scheme is information-theoretically hiding, and is binding under the discrete 
logarithm assumption, which is implied by the LRSW assumption. Moreover, 
there exist in the literature efficient protocols for proving knowledge and equality 
of committed values (see, for example, [16,36,8,15]). 

4.2 Obtaining a Signature on a Committed Value 

When Information- Theoretic Hiding Is Not Needed. Consider the signing algo- 
rithm for Scheme A. Note that, if the input to the signer is g'^ instead of m, 
the algorithm will still work: on input M = 5 ™, output a = 5 '’, b = , and 

c = ^ To maintain security of the signature scheme, however, 

the user must prove knowledge of m to the signer. 

As we will discuss in more detail in §4.4, this leads to a natural application 
to constructing group signatures: in order to join a group, a new member will 
choose a secret m, give g^ to the group manager, prove knowledge of m, and 
obtain the membership certificate (a, b, c) formed as above. 

However, note here that the input to the signer, the value 5 ™, does not 
unconditionally hide the value m. Thus, if the user wishes to become a member 
in more than one group using the same secret m (as is the case if we want to build 
an anonymous credential system), the two group managers can discover that they 
are talking to the same user. This is easy to see if both group managers use the 
same generator g for G, because in that case, the user will give g"^ to both of 
them. But this is true even if one group manager uses g, while the other uses g: 
recall that in groups with bilinear pairings, the decisional Diffie-Hellman problem 
is easy, and so 5 ™ and g^ can be correlated: e{g^,g) = e{g,g)^ = e{g,g^). 

This is why we need Schemes B and C instead of Scheme A. However, we 
note that for group signatures. Scheme A is sufficient. In the sequel, we will give 
the description of the protocol for Scheme C, together with a proof of security. 
Because Scheme A is a special case of Scheme C (in Scheme A, f = 0), the 
security of the protocols for A is implied by that for C. 

Signing an Information- Theoretically Hidden Message. Signature Schemes B 
and C are ideally suited for obtaining a signature on a committed value. 

Consider Signature Scheme B. Note that to generate a valid signature, the 
signer need not know (m,r). Instead, it is sufficient that the signer know M = 
g'^Z'^. The values (a,A,b,B) are not a function of {m,r) - so the signer need 
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not know (m, r) to generate them. Suppose that the signer generates them as 
follows: choose a ^ Zq, and let a = g°". Choose A, b, and B as prescribed 
by the signing algorithm. Finally, the signer can compute c = as 

c = . This will be correct, because: 

c = 

= a^{a^A'"Yy because by construction, A = g°"^ = Z°" 

_ ^x+xym ^xyr 

More generally, in Signature Scheme C, all the signer needs is the value M = 
He can then compute (a = g°^, {Ai}, b, {Bi}) as prescribed, 
and let c = a^M°^^y as above. 

We do not know how to prove such a method for signing secure under the 
LRSW assumption: the difference from the usual method is that here, the ad- 
versary may win by asking a signature query for M for which he does not know 
the representation in terms of g and Z . 

Thus, in order to obtain a signature on a committed value, the protocol needs 
to be amended by having a recipient of the signature prove that he knows the 
representation of M in bases g and Z . 

Let us give the protocol in detail now. We give the protocol for Signature 
Scheme C, the ones for Signature Schemes A and B follow from this as they are 
special cases of Signature Scheme C. 

Obtaining a Signature C on a Committed Value. Suppose that M = Y[i=i 
Z ^*~ ' is a commitment to a set of messages . . . , whose signature the 

user wishes to obtain. Then the user and the signer run the following protocol: 

Common Input. The public key pk = (g, G, G, g, g, e, A, F, {Zi}), and a com- 
mitment M . 

User’s Input. Values . . . ,m such that M = g™-'°^ Yli=i ' • 
Signer’s Input. Signing key sk = {x,y,{zi}). 

Protocol. First, the user gives a zero-knowledge proof of knowledge of the open- 
ing of the commitment: 



i=l 

Next, the signer computes cr = (a, {A^}, b, {Bi}, c) as described above, namely: 

— a ^ Zq, a = g°" . 

— For 1 < i < t', let Ai = Then set b = ay, and for 1 < i < £, let 

= Ay. 

— c = 

The user outputs the signature a. 
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Theorem 3. The protocol above is a secure two-party computation of a signa- 
ture on a discrete-logarithm representation of M under the signer’s public key. 

Proof. (Sketch) From the signer’s point of view, this protocol is as secure as 
when the user submits his signature queries in the clear. This is because of the 
proof of knowledge: there exists an extractor that can discover the value of the 
message being signed, and ask it of the signer in the clear. 

From the user’s point of view, as the only place where the user’s secret input 
, . . . , is used is the zero-knowledge proof of knowledge of these values, 
the only thing that the signer finds out about the message is 

the input value M . Note that if is distributed uniformly at random, then 
M information-theoretically hides the values 



4.3 Proving Knowledge of a Signature 

We first present a protocol to prove knowledge of a signature that works for 
Scheme A. We then explain why the protocol does not generalize to Scheme B 
(and thus also Scheme C), show how Scheme C needs to be extended to fix this 
problem, and obtain Scheme D. We then give a proof of security of Scheme D and 
a zero-knowledge protocol for proving knowledge of a signature under Scheme 
D. We note that the protocol to sign a committed (secret) message also works 
for Scheme D. 

The following protocol is a zero-knowledge proof of knowledge of a signed 
message for Scheme A. 

Common input. The public key pk = (q, G, G, g, g, e, X, Y). 

Prover’s input. The message m G Zg and signature cr = (a,b,c). 

Protocol. The prover does the following: 

1. Compute a blinded version of his signature cr: Choose random r, r' G Zg, 

and blind the signature to form a := (a'"', c'’"’’) = (a, b, c’’) = (a, b, c). 

Send (a, 6, c) to the verifier. 

2. Let the Vx, '^xy, and Vg be as follows: 

Vx = e{X,d) , \/xy = e{X,b) , Ms = e{g,c) . 

The Prover and Verifier compute these values (locally) and then carry 
out the following zero-knowledge proof protocol: 

pk{{t,p) ■■ < = . 

The Verifier accepts if it accepts the proof above and e{d,Y) = e{g,b). 

Theorem 4. The protocol above is a zero knowledge proof of knowledge of a 
signature a on a message m under Signature Scheme A. 

Proof. First, we prove the zero-knowledge property. The values that the verifier 
receives from the prover in Step 1 are independent of the actual signature: a and b 
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are just random values satisfying e(d, Y) = e{g, b), and c is random in G because 
c = S" for a randomly chosen r' . Therefore, consider the following simulator S: 
Choose random r and r', and set a = g^, b = Y'^, c = g"^ . Then {a,b,c) is 
distributed correctly, and so Step 1 is simulated correctly. Then, because in 
Step 2, the Prover and Verifier execute a zero-knowledge proof, it follows that 
there exists a simulator S' for this step; just run S' . It is easy to see that S 
constructed this way is the zero-knowledge simulator for this protocol. 

Next, let us prove that this protocol is a proof of knowledge. That is to say, we 
must exhibit a knowledge extractor algorithm E that, given access to a Prover 
such that the Verifier’s acceptance probability is non-negligible, outputs a value 
(m, a), such that cr is a valid signature. Suppose that we are given such a prover. 
The extractor proceeds as follows: first, it runs the extractor for the proof of 
knowledge protocol of Step 2. As a result, it obtains the values r,m G Zq such 
that = Va;V™ . Then: 

v: = v.v- 

e{g,cY = e{X,'a)e{X,br 

e(5,c'-) = e(A,h)e(A,6r 

And therefore the triple a = {a,b,c'') satisfies the verification equation (1) and 
hence is a signature on the message m, so our extractor outputs (m, a) . 

Let us now try to adapt this protocol for Signature Scheme C. There is one 
subtlety that arises here: The zero-knowledge simulator needs to be able to come 
up with something that looks like a blinded signature (let us call it simulated 
signature), even though the simulator is not given any signature. In Signature 
Scheme A this turned out not to be a problem: the simulator simply picked a 
random r and set d = and b = Y'' . Here, this is not going to work, because, 
in addition to a and b, the simulated signature needs to include the values {A^} 
and {Bi}. Now, forming Ai is not a problem: Ai = ZY But how do we compute 
Bi = without knowing Zi or y? 

To that end, we may augment the public key for signature scheme C to 
include a signature on some dummy message, so that the simulator will be given 
some valid signature that includes the correctly formed tuple (a, {Ai}, b, {Bi}), 
and then, in order to obtain the simulated signature, the simulator will pick a 
random r, and let d = a'' ,b = b'' , Ai = A}, and Bi = B{ . 

An even better solution, in terms of reducing the size of the public key, is 
actually to include the values Wi = Y^' in the public key, instead of the signature 
on the dummy message. It is easy to see that this has no effect on the security 
of the signature scheme. 

Let us now give this new, augmented signature scheme, and prove it secure. 
Signature Scheme D. This signature scheme is the same as Signature Scheme 
C, except that the public key also includes the values {Wi = Y^*}- 

Key generation. Run the Setup algorithm to generate {q, G, G, g, g, e). Choose 
X ^ Zq, y ^ Zq, and for 1 < f < ^, Zi ^ Zq. Let X = g'" , Y = g^ 
and, for 1 < z < ^, Zi = g^' and Wi = Y^\ Set sk = {x,y, zi, . . . , ze), 
pk = {q, G, G, g, g, e, A, Y, {Zi}, {W,})- 
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The signature and verification algorithm are identical to the ones of Scheme C. 

Theorem 5. Signature Scheme D is correct and secure under the LRSW as- 
sumption. 

The detailed proof of this theorem is given in the full version of this paper. 
The main idea of the proof of security is that the proof for Scheme B generalizes 
to the case when we have several Zi’s. 

As a forger for Scheme C is also a forger for Scheme D, we have: 

Corollary 1. Signature Scheme C is correct and secure under the LRSW as- 
sumption. 

The full description of the protocol and proof of security follow. 

Common input. The public key pk = {q, G, G, g, g, e, X, Y, {Zi}, {Wi}). 
Prover’s input. The block of messages . . . , and signature a = 

(a,{Ai},b,{B,},c). 

Protocol. The prover does the following: 

1. Compute a blinded version of his signature cr: Choose random r, r' G Z^. 
Form a = (d, {Ai}, b, {Bi}, c) as follows: 

d = a’’, b=b^ and c = o'" 

A, = A^ and B, = B[ for 1 < i < £ 

Further, blind c to obtain a value c that it is distributed independently 
of everything else: c = cL . 

Send (d, {Ai}, b, {Bi}, c) to the verifier. 

2. Let \/x, Vxy, V(xy,i), i = f,---,£, and Vg be as follows: 

Vx — e(A, d) , Vxy — e(A, d) , ^(xy,i) — ^(Ai, — ^i.9i 

The Prover and Verifier compute these values (locally) and then carry 
out the following zero-knowledge proof protocol: 

i=l 

The Verifier accepts if it accepts the proof above and (a) {Ai} were 
formed correctly: e(d,Zi) = e(g,Ai); and (b) b and {Bi} were formed 
correctly: e(d, V) = e{g,b) and e{Ai,Y) = e{g,Bi). 

Theorem 6. The protocol above is a zero knowledge proof of knowledge of a 
signature a on a block of messages . . . , under Signature Scheme D. 

The proof of this theorem follows the proof of Theorem 4 and is provided in the 
full version of this paper. 
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4.4 An Efficient Group Signature Scheme Secure 
under the LSWR- Assumption 

We now present the first efficient group signature (and identity escrow) scheme 
whose security relies solely on assumptions related to the discrete logarithm 
problem (in the random oracle model). In contrast, all previous efficient schemes 
rely on the strong RSA assumption plus the decisional Diffie-Hellman assump- 
tion. 

Recall that a group signatures scheme allows members of a group to sign 
anonymously on the group’s behalf. In case of disputes, there exists a trusted 
third party called revocation manager who will be able to open a signature and 
reveal the identity of the signer. A group signature scheme consists of five proce- 
dures: (1) a key generation procedure that produces the public key of the group 
(and also some keys for the group and revocation manager), (2) a join protocol 
for a member to get admitted by the group manager, (3) a sign algorithm for an 
admitted member to sign a message, (4) a verification algorithm to check group 
signatures for validity with respect to the group’s public key, and (5) an opening 
algorithm that allows the revocation manager to reveal the identity of a signer. 
A group signature scheme is secure if only the revocation manager can reveal 
the identity of the signer (anonymity) and if the revocation manager can do this 
for all valid signatures (traceability) [3]. 

Our construction follows the approach introduced by Camenisch and Stadler 
[12]: A member gets a certificate on a membership public key from the group 
manager when she joins the group. When she wants to sign on behalf of the 
group, she encrypts her membership public key under the encryption key of the 
party who will later be able to open group signatures (revocation manager) and 
then proves that she possesses a certificate on the encrypted membership public 
key and that she knows its secret key. To make this proof a signature, one usually 
applies the Fiat-Shamir heuristic to this proof [21]. 

The public key of the group manager is the public key of our Scheme A, i.e., 
P^M = (9> G,G,g,g,e,X,Y) and his secret key is a; = logg A and y = logg T. 
The public key of the revocation manager is the public key of the Cramer-Shoup 
encryption scheme [18] in the group G = (g), i.e., pk^ = (h, y^, V 2 , Ys), with 
h &R G, yi = Y 2 = and ys = g’®®, where a;i, . . . ,xs Zg are the 

revocation manager’s secret key^. Finally, let 7t() : {0, 1}* ^ Zg be a collision 
resistant hash function (modeled as a random oracle in the proof of security) . 

The join protocol is as follows. The future group member chooses her mem- 
bership secret key k Gr Zg, sets P = g^, sends P authentically to the group 
manager, and proves to the group manager the knowledge of logg P. The group 
manager replies with a Scheme A signature (a, b, c) on the message committed 
by P, i.e., computes a = g^ , b = , and c = where r Gr Zg (cf. §4.2). 



^ The Cramer-Shoup cryptosystem is secure under the decisional Diffie-Hellman 
(DDH) assnmption. Therefore, we cannot use it over group G, because the exis- 
tence of a bilinear map implies that the DDH problem is tractable. Thus, we use the 
CS cryptosystem in group G instead. 
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The group manager stores P = e(P, g) together with P and the identity of the 
new group member. 

To sign a message m on behalf of the group, the user computes P = = 

e(P, g) and a blinded version of the certificate by choosing random r, r' G Zg and 
computing a := (o’’ , 6'’ , o'" ’’) = (a, b, P) = (a, b, c). Next, she encrypts P under 
the revocation manager’s public key pkj^, i.e., she chooses u Gr Zg, computes 
Cl = g“, C2 = h“, C3 = y“P, and C4 = Then she computes the 

following proof-signature (cf. §2): 

P = SPK{{p,,p,v) : A Ci = g’’ A C2 = h’’ A 

A C 3 = yrg'^ A C 4 = (y2yr^=^"^="=^V}(m) , 

where = e{X,a), Vxy = e{X,b), and Vg = e{g,c). A group signature consists 
of ((d, 6, c), (ci, C2, C3, C4), A) and is valid if A is a valid SPK as defined above 
and if e(d, y) = e{g,b) holds. 

To open such a group signature, the revocation managers needs to decrypt 
(ci, C2, C3, C4) to obtain P which identifies the group member. 

It is not hard to see that, in the random oracle model, this is a secure group 
signatures scheme under the LRSW and the decisional Diffie-Hellman assump- 
tion in G. Let us give a proof sketch for security under the Bellare et al. [3] 
definition. If an adversary can break anonymity, then one can break the encryp- 
tion scheme as (d, 6, c) are random values and E is derived from an honest- verifier 
zero-knowledge proof. If an adversary can produce a signature that cannot be 
opened, i.e., linked to a registered member by the revocation manager, then one 
can use rewinding to extract a forged signature and break the signature scheme 
(cf. analysis of the protocol to prove knowledge of a signatures in §4.3). If used as 
an identity escrow scheme (i.e., if E is not a proof-signature but a real protocol 
between a group member and a verifier), the security proof need not to assume 
random oracles. 

The scheme just described can be extended in several ways. For instance, 
we could use Scheme D instead of Scheme A and include the user’s identity 
id directly into her membership key P, e.g., P = g^ Z\^. That is, in the join 
protocol, the user would send P' = g^ (and prove knowledge of log^ P) and the 
group manager would then compute P as to ensure that indeed id is contained in 
P. Then, instead of encrypting P, one could use the Camenisch-Shoup encryption 
scheme [11] to directly encrypt the identity as one of the discrete logarithms the 
knowledge of which is proven when proving knowledge of a signature. 



5 Constructions Based on the BBS Group Signature 

Recently and independently of this work, Boneh, Boyen and Shacham [5] pre- 
sented a group signature scheme secure under the strong Diffie-Hellman and the 
Linear assumptions. They showed that, under these assumptions in groups with 
bilinear pairings, it is hard, on input {gi,g 2 = 9i) to sample tuples of the form 
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(A, x) where A = (in other words, = g\), even given a polynomial 

number of such samples. In their group signature scheme, such a tuple {A, x) is a 
user’s group membership certificate, while (31,52) is the public key of the group. 
At the heart of their construction are (1) a zero-knowledge proof of knowledge 
of such a tuple; and (2) a scheme for encrypting x. They prove the resulting 
construction secure under a slightly weaker variant of the Bellare, Micciancio, 
and Warinschi [3] definition of security. 

Boneh, Boyen, and Shacham also modify their main group signature scheme 
to achieve exculpability, as follows. The public key of the group is augmented 
by an additional value h; it is now (gi,g 2 ,h). The membership certificate of a 
group member is (A,x,y) such that = 51. This membership certificate 

is created via a protocol in which the group manager only learns the value 
, but not the value y. The unforgeability of membership certificates in this 
modified scheme can be derived from that of their main scheme. They achieve 
exculpability because a proof of knowledge of a membership certificate requires 
the knowledge of the value y. 

Note that this latter signature scheme gives rise to the equivalent of our 
Signature Scheme A, but under a different assumption. Namely, the membership 
certificate (A, x, y) is a signature on the value y. Just as in our Scheme A, a group 
member obtains his group membership certificate in such a way that the group 
manager learns the value but not the value y itself. 

Not surprisingly, this signature scheme can be extended to the equivalent of 
our Schemes B and C using techniques similar to the ones described above. As 
a result, we can obtain signature schemes with efficient protocols based on the 
BBS signature. Let us give a sketch for the equivalent for Scheme C. A public key 
would be (51, 52 j ho, hi, , hg). A signature on a block of messages (mo, . . . , rni) 
consists of values {A, x) such that Y\\=o order to obtain a signature 

on a committed block of messages, a user will have to supply the signer with 
the value Y = rii=o ^T' > prove knowledge of its representation in the bases 
{ho , . . . , hi). If mo is chosen at random, then Y information-theoretically hides 
(mi, . . . , mi). The signer will then generate the signature. A proof of knowledge 
of a signature on a committed value can be obtained by appropriate modifications 
to the BBS group signature protocol. 
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Abstract. Let / : {0, 1}" ^ {0, 1}* be a one-way function. A function 
h : {0, 1}" ^ {0, 1}*" is called a hard-core function for / if, when given 
f{x) for a (secret) x drawn uniformly from {0, 1}", it is computationally 
infeasible to distinguish h{x) from a uniformly random m-bit string. A 
(randomized) function h : {0, 1}" x {0, 1}*^ ^ {0, I}'” is a general hard- 
core function if it is hard-core for every one-way function / : {0, 1}" ^ 
{0, 1}*, where the second input to h is a fc-bit uniform random string 
r. Hard-core functions are a crucial tool in cryptography, in particular 
for the construction of pseudo-random generators and pseudo-random 
functions from any one-way function. 

The first general hard-core predicate, proposed by Goldreich and Levin, 
and several subsequently proposed hard-core functions, are bilinear func- 
tions in the two arguments x and r. In this paper we introduce a param- 
eter of bilinear functions h : {0, 1}" x {0, 1}*^ ^ {0, 1}*", called expo- 
nential rank loss, and prove that it characterizes exactly whether or not 
h is a general hard-core function. The security proofs for the previously 
proposed bilinear hard-core functions follow as simple consequences. Our 
results are obtained by extending the class of list-decodable codes and by 
generalizing East’s list-decoding algorithm from the Reed-Muller code to 
general codes. 

Keywords: List-decoding, hard-core functions, Goldreich-Levin predi- 
cate. 



1 Introduction 

Blum and Micali [BM84] showed a hard-core predicate^ for the exponentiation 
function modulo a prime, which is widely conjectured to be one-way (except 
for special primes). They also showed how to construct a pseudo-random gen- 
erator based on it. Hard-core predicates are also known for some other specific 
(conjectured) one-way functions. 

In a seminal paper [GL89], Goldreich and Levin proved that for any one- 
way function / : {0, 1}" ^ {0, 1}^ the XOR of a random subset of the n bits 

^ The term predicate is used throughout to denote a function with range {0, 1}. 

M. Franklin (Ed.): CRYPTO 2004, LNCS 3152, pp. 73-91, 2004. 
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of the input x constitutes a hard-core predicate. This function is randomized 
(because of the choice of a random subset), and it is easy to see that any general 
hard-core function must be randomized. An alternative view is to interpret the 
randomizing input of the hard-core function as an extra input and output of a 
modified one-way function /' : {0, 1}^" ^ {0, 1}^+" defined by 

f{x,r) = if{x),r) 

which now has a deterministic hard-core function h{x, r) The Goldreich-Levin 
hard-core function is simply the inner product of x and r, which is a bilinear 
function h : {0, 1}” x {0, 1}" ^ {0, 1}. 

Any such bilinear map h is characterized by a binary nx n matrix M, where 
h{x, r) = x'^ ■ M - r. For the Goldreich-Levin predicate, M is simply the identity 
matrix. 

One can show (see [Lub96]) that m = O(logn) independent Goldreich-Levin 
predicates are jointly hard-core, i.e., they form a hard-core function h : {0, 1}” x 
{0, 1}™" ^ {0, 1}'". An important issue is to reduce the required amount of 
randomness in a hard-core function. A construction presented in [GL89] (see 
also [GolOl]) requires only n-|-TO— 1 instead of mn random bits for an m-bit hard- 
core function. Goldreich, Rubinfeld, and Sudan [GRSOO] reduced the number of 
random bits down to n, as for the Goldreich-Levin function which produces only 
one (rather than m) bits. While some of the proofs of these results as they appear 
in the literature are non-trivial, they will all follow as simple consequences of 
our main theorem. 

More generally, one can consider bilinear functions for vector spaces over 
any finite field F, i.e., functions h : F" x F^ ^ F"*. We are interested in 
characterizing which of these functions are general hard-core functions. This 
characterization turns out to be given by a quite simple parameter of such a 
bilinear function. The characterization is complete in the sense that when the 
parameter is below a certain threshold, then the function is hard-core, and other- 
wise there exist one-way functions (under some reasonable complexity-theoretic 
assumption) such that h is not a hard-core function for /. 

Let us discuss this parameter. For any linear function £ : F™ ^ F, the 
function f o ft, is a bilinear function F" x F^ — > F which can be characterized 
by an n X ft matrix over F. The parameter of interest, which we call exponential 
rank loss, is defined as the expected value of the exponentially weighted rank of 
this matrix, when averaged over all non-zero functions £. 

The main technical part of [GL89] consists in showing that an error-correcting 
code has certain list-decoding properties, i.e., that it is possible to find a list of 
all codewords in a Hamming ball of a certain size. In this paper we show how 
to list-decode a larger class of codes. The stated characterization of hard-core 
functions will then follow. 

An application of one-way functions and hard-core predicates are pseudoran- 
dom generators. It is easy to obtain a pseudorandom generator from any one-way 

^ Yao’s method (implicit in [Yao82]) of using several copies of a one-way function and 
computing the XOR of some of the inputs can also be seen in the same light. 
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permutation / by iterating / and after each iteration extracting a (the same) 
hard-core predicate. It is much more complicated and less efficient to use any 
one-way function (see [HILL99]). 

The security of a cryptographic scheme that uses a pseudo-random generator 
is proven by showing that an algorithm breaking the scheme could distinguish 
the pseudo-randomness from real randomness. Hast [Has03] showed that in many 
cryptographic applications, breaking the scheme is actually stronger than just 
distinguishing the randomness from pseudorandomness with small probability, 
in the sense that if an algorithm is given a pseudo-random or random input and 
it breaks the scheme, then it is almost certain that the input was pseudo-random 
rather than random. Hast then shows that this leads to an improved security 
analysis for many constructions. The main technical tool is an extension of the 
list-decoding algorithm to the case where erasures in the codewords are allowed. 
We use this extension, and furthermore generalize Hast’s result by giving list- 
decoding algorithms that are able to handle erasures for more general codes. 

Section 2 introduces the notation and discusses bilinear functions and list- 
decoding, the main technical tool of the paper. Previous work is also summarized 
in this section. In Section 3, we analyze a special case of bilinear functions, 
namely these for which all matrices mentioned above (i.e., for all non-zero linear 
functions) have full rank. This special case already suffices to prove previous 
results in the literature. We generalize the algorithm in Section 4 such that it 
works with any bilinear code, where the running time and the produced list will 
grow linearly with the exponential rank loss of the code. In Section 5 we discuss 
the application to characterizing hard-core functions. 

2 Preliminaries 

We use calligraphic letters to denote sets. Capital letters denote random variables 
over the corresponding sets; and lowercase letters denote specific values of these 
random variables, i.e., values in the sets. 

The notation f : X ^ y is used to denote a function / from the domain X 
to the range y. Sometimes, functions take additional randomness (i.e., for every 
input X € X the function only specifies a probability distribution over jV). In 
this case we write f : X y, a notation which also will be used to denote 
randomized algorithms with domain X and range y. If an algorithm has access 
to a randomized function, we use the term oracle for the randomized function. 

2.1 Bilinear Functions 

Let F = GF{q) be the finite field with q elements and let F” be the n- 
dimensional vector space of n-tuples over F. As a special case, we identify {0, 1} 
with GF(2), and the bitstrings {0, 1}" of length n with the n-dimensional vector 
space over GF(2). 

A linear function £ : F" ^ F can be specified by a vector w G F” such that 
£{v) = {w,v) := YliViWi. We use to denote the set of all linear functions 
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i : IF" ^ IF. Furthermore, 0 will denote the zero function 0(u) = 0 and we use 
:= J^'n\{0} for the set of all linear functions excluding 0. 

A bilinear map h : F" x ^ F can be specified by a matrix M G 
such that h{v,w) = v'^Mw. The rank of a bilinear map is just the rank of this 
matrix. A bilinear function h : F" x F^ ^ F"^ is a function where every entry 
in the output vector is specified by a bilinear map. Note that for any function 
i G jSfm the concatenation £ o h is & bilinear map. If L is a uniformly chosen 
random linear function from the exponential rank loss p{h) is defined as 

p{h) := 

We say that a bilinear function is full-rank, if rank(^ o h) = n for every £ G 
(in which case p{h) = 1). 

2.2 List-Decoding 

The main tool in the construction of hard-core functions is the notion of a list- 
decodable code. Such a code has the property that, given a noisy codeword, it 
is possible to find a list of all codewords which have a certain agreement with 
the noisy codeword. 

Consider a code C given as a function C : A — > Note that the input 

to the function (usually the message) is an element of X while the output (the 
codeword) is a /c-tuple over Z. The Hamming distance of two words of is 
the number of coordinates in which the words differ. List-decoding is the task 
of finding for a given G Z^ all the values x for which C{x) has a Hamming 
distance from that is smaller than some predefined bound. This is in contrast 
to usual error-correcting, where one aims to find the one codeword which is 
closest to the received word. The most ambitious task is to list-decode close to 
the noise barrier: given any e > 0 one wants to find all values x for which C{x) 
has a Hamming distance of at most (1 — — e)k from a given word. Since a 

random word has expected distance (1 — i^)k from any codeword, this is clearly 
the best one can expect to achieve. 

Instead of considering the function C{x), one can equivalently consider a 
function h : A x {1, . . . , fc} ^ Z, such that h{x, i) is the value of C{x) at the 
z-th position. More generally we consider functions h : X x y Z for any 
domain y. Analogous, we assume that we have oracle access to the noisy word 
to be decoded: instead of reading the complete word it will be convenient to 
assume that an oracle O '.y Z, on input y, returns the symbol at position y. 
This allows us to list-decode in sublinear time, i.e., without looking at every 
position of the word, which in turn allows the codewords to be exponentially 
large. The oracle is stateless, but may be randomized and is not required to 
return the same symbol if queried twice with the same input. The agreement of 
an oracle with a codeword is then expressed as Vr\h{x,Y) = 0{Y)], where the 
probability is over the choices of Y and the randomness of the oracle. 

Additionally, we allow erasures in the word which will be denoted by T. Thus, 
the oracle is a randomized function O : y Z U {T}. The rate S of such an 
oracle is the probability that a symbol in Z is returned. 
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6:= Pr[0{Y)j^±]. 

For a fixed word x, the advantage £ of O is defined as 
£ := Pr[0(y) = h{x, Y) \ 0{Y) 7^ 

This motivates the following definition: 

Definition 1 (List-decodable code).^ The function h : X xy ^ Z is (i5, £)- 
list-decodable with k oracle calls and list size A if there exists an oracle algorithm 
with running time A • poly(log(|T|)) which, after at most k oracle calls to an 
oracle O '.y Z\J {_L} with rate at least S, generates a set A of size at most X, 
such that for every x with Pr[0{Y) = h{x, Y) \ 0{Y) ±] > -^ + e the set 

satisfies Pr[a; G A] > 

2.3 Hard-Core Functions 

Informally, a one-way function is a function which is easy to evaluate but hard 
to invert. 

Definition 2 (One-way function). An efficiently computable function fam- 
ily f : {0,1}" ^ {0, with p{n) G poly(n) is a one-way function if for 
every probabilistic polynomial time (in n) algorithm A the inverting probability 
Pr[/(^(/(-’^))) = f(X)] is negligible. 

A hard-core function h : (0, 1}" x (0, 1}^ ^ (0, 1}*" can intuitively extract 
bits from the input of a one-way function / such that these bits look random, 
even given f{x). We can distinguish (strong) hard-core functions, where the 
output is indistinguishable from a random string of length m (which we denote 
by C/'"), and weak hard-core functions, where the output of the function is hard 
to predict. 

Definition 3 (Strong hard-core function). An efficiently computable family 
h : {0, 1}” X (0, ^ (0, of functions, with k{n),m{n) € poly(n) is a 

(strong) hard-core function if, for every one way function f : {0, 1}" ^ (0, 
and every probabilistic polynomial time algorithm A, the distinguishing advantage 
given by PT[A{f{X), R, h{X, R)) = 1] — Pr[A(/(A), i?, t/*") = 1], is negligible 
in n. 

Definition 4 (Weak hard-core function). An efficiently computable family 
h : {0, 1}” X (0, ^ (0, with k{n),m{n) G poly(n) of functions is a 

weak hard-core function if, for every one-way function f : {0, 1}” ^ (0, 
and every probabilistic polynomial time algorithm A, the advantage of A in guess- 
ing h{x,r) on input f{x) and r, defined as Pr[A{f{X),R) = h{X,R)] — is 
negligible in n. 

® We require the list-decoding algorithm to work in time A • poly(log(|A|)). Note that 
in some cases, A will be superpolynomial in the input size log(|A|) and log(|T|). 
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In general, weak hard-core functions are easier to construct than strong ones. 
However, we will see that for small outputs the notions are equivalent. 

As shown in [SudOO], any list-decodable code h : {0, 1}” x {0, 1}^ ^ {0, 1}™ 
as defined above yields a weak hard-core function. To prove this, one assumes for 
the sake of contradiction that an algorithm B is given which on input f{x) and r 
predicts h{x,r) with probability higher than -^ + e, for some non-negligible^ s. 
After arguing that B needs to have a reasonable success probability for a sig- 
nificant subset of the possible values for x, one then uses B as the oracle in the 
list-decoding algorithm. The resulting list, which is small, then contains x with 
non-negligible probability, and one can find a preimage of f{x) by applying / to 
all values in the list. 

In such a reduction, the running time of the resulting algorithm is dominated 
by the running time of B. Thus, one is interested in the exact number k of oracle 
calls, while the exponent in the running time of the (polynomial) algorithm 
is of minor importance. In this application, the second input (from {0, 1}^) 
corresponds to a random string. As randomness is an expensive resource, one 
wants k to be as small as possible. We show how to achieve k = n for any n. 



2.4 Previous Work 

The fundamental result on bilinear list-decodable codes implicitly appears in 
[GL89], stating that the Reed-Muller code of first order, defined as h : {0, 1}" x 
{0,1}" ^ {0,1}) h{x,y) = {x,y) = ^^Xiyi, has an algorithm which efficiently 
list-decodes it up to an error rate of 1/2 + £, for any £ > 0. 

The standard proof used today was found independently by Levin and Rack- 
off and is given in [GolOl] (see also [Lev87]). In [HasOS], Hast introduces the 
extension of list-decoding algorithms for oracles with erasures. The existence of 
the resulting algorithm is asserted in the following theorem: 

Theorem 5 (Goldreich- Levin, cf. [HasOS] ). For any e, (5 > 0, the function 
h : {0, 1}” X {0, 1}” ^ {0, 1}, h{x,r) = {x,r) is {S,e) -list-decodable with list size 
O(j^) and 0{n-^) oracle calls. The list-decoding algorithm needs 6e^ as input. 

This theorem is slightly stronger than the original version in [HasOS], where 
an additional factor n appears in the number of oracle calls and the list size. 
The version as stated here can be obtained by applying a trick that appears in 
[GolOl, Section 2.5.2.4]^ 

It is natural to generalize this theorem to vector spaces over any finite field. 
For this, the best known result is given in [GRSOO]. 

Theorem 6. For any (5, e > 0, the function h : F” x F” ^ F, h{x, r) = {x, r) 
is {6 ,e) -list-decodable with list size poly(n, and poly(n, oracle 

calls. The list-decoding algorithm needs Ss as input. 

^ We use non-negligible to denote a function which is not negligible. 

® Basically, one uses a linear, asymptotically optimal error-correcting code to find x 
instead of finding the bits one by one. 
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The algorithm which is used to prove Theorem 6 is similar to the original 
algorithm given in [GL89]. The exponents in poly(n, are rather high, so 

we refrain from stating them explicitly. 

Naslund shows in [Nas95] that for any one-way function f{x), a hard-core 
predicate can be obtained if one interprets a; as a value in GF(2”), and outputs 
any bit of ax -I- 5 for randomly chosen a and b; a result which also follows from 
the characterization in this paper. Furthermore, he proves that for randomly 
chosen a, b and prime p the least significant bit of ax -I- 5 mod p is a hard-core 
predicate. More generally, in [Nas96] he shows that all bits of ax -I- 6 mod p are 
hard-core. 

In a different line of research, in [STVOl] Sudan et al. give very strong list- 
decodable codes which are not bilinear, based on Reed-Muller codes. These codes 
can also be used to obtain hard-core functions for any one-way function. 

In [AGS03], Akavia et al. show that list-decoding can also be used to prove 
specific hard-core results. For example, they give a proof based on list-decodable 
codes that the least significant bit of RSA is hard-core (which was first shown 
in [AGGS88]). 

3 Full-Rank Bilinear Functions 

The main technical goal of this paper is to give a list-decoding procedure for 
any bilinear function h : F" x ^ F™. In this section, we will first consider 
a simple, but very general subset of bilinear functions, namely full-rank bilinear 
functions h (i.e., rank(^ oh) = n for every t' yf 0). We show that these functions 
have very good list-decoding algorithms. 

In a second step we will construct full-rank bilinear functions h : F” x F^ ^ 
F"* which are optimal in the sense that for fixed n the dimension k is made as 
small as possible, while for m every value 0 < m < k is possible. This allows us 
to give a very large class of strong hard-core functions. 

3.1 List-Decoding of Full-Rank Functions 

In this section, we give a list-decoding algorithm for every full-rank bilinear 
function h : F" x F^ ^ F^. In particular, for the case F = GF(2), we will show 
that there exists a list-decoding algorithm for h which is as strong as the one 
guaranteed in Theorem 5. 

Theorem 7. Let h : {0, 1}" x {0, 1}^ ^ {0, 1}™ be a full rank bilinear function. 
For any (5, e > 0, the function h{x,y) is {5 ^e) -list-decodable with list size 0{^) 
and 0{n-^) oracle calls. The list-decoding algorithm needs 5e^ as input. 

For general finite fields, analogously to Theorem 6, the following holds. 

Theorem 8. Let h : F" x F^ ^ F™ be a full-rank bilinear function. For any 

(5, e > 0, the function h{x,y) is {6, e) -list-decodable with list size poly(n, 

and poly(n, oracle calls. The list-decoding algorithm needs Ss as input. 
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To prove Theorems 7 and 8, we describe an algorithm which, on access to an 
oracle O with rate 6, outputs a list of all x G IF" which satisfy 



Pr[C>(y) = h(x,V) I 0(V) yf T] > 



1 



+ £. 



( 1 ) 



For this purpose we convert O to an oracle O' with the same rate and related 
advantage, but for a different code. Namely, O' will have advantage e/2 on (x, r) 
for any x which satisfies (1), i.e., Pr[0'(i?) = (a;,i?) | 0'{R) yf T] > ^ + §• 
Applying Theorems 5 and 6, respectively, then yields the result. 

In the following, let L be a uniform random function from i.e., L is a 
random variable taking as values functions from We show that if a value 2 
returned by the oracle is better than a random guess for h{x,y), then L{z) is 
better than a random guess for L{h{x, y)) as well. To see why this holds, we first 
compute the probability that L{a) equals L{b) for two distinct values a and b; 
this probability is close to l/q. 

^ 

Lemma 9. For any distinct a,b G F™, Pr[L(a) = L{b)] = — — j— . 

Proof. First note that Pr[L(a) = L{b)] = Pr[L(a — b) = 0] = Pr[T(u) = 0] for 
some u yf 0. If L' is chosen uniformly at random from all functions in (not 
excluding 0), then Pr[T'(u) = 0] = ^, and since 0(u) = 0 for every v, we can 
write 

- 1 



- = Pr[L'(u) = 0] = — 

q I w J 



q" 



■Pt[L{v) = 0], 



Pr[L'=0] Vr[L'^0] 

which implies the lemma. □ 

Now we can estimate the probability that L{Zi) equals L{Z 2 ) for two random 
variables Z\ and Z^. Later, Z 2 will be h{x,Y) and Z\ a guess of an oracle 
for h(x, Y). 

Lemma 10. Let Z\ be a random variable over F'" U {T} and Z 2 a random 
variable over F*". If, for any e > 0, 



then 



Pr[Zi = Z 2 I y^ T] = ^ + e, 



Pr[L(Zi) = L(Z2)|Ziy^T]>i+^. 

q A 



Proof. Obviously, if Zi = Z 2 we also have £{Zi) = ^(^ 2 ) for every i G 
Using Lemma 9 we obtain 



1 



Pr[L(Zi) - L(Z 2 ) I yf T] - 



,m— 1 



- 1 



gm _ 1 



Pr[Zi=Z2|Zl5^-L] Pr[Zi5^Z2|Zi5^J_] 



1 



Vo o’"/ 



= -+£+ -- 



1 



— £- 



.q q 



1-1 
- 1 



> 
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Next, we translate a uniform query r into a uniform pair y) G x {0, 1}^, 
such that {x,r) = £{h{x,y)). We will be able to use this by giving y to the 
oracle O which predicts h{x,y) and then apply I to get a prediction for {x,r). 
Since y is uniform we will know the advantage of the oracle in predicting h(x^ y), 
and since I is uniform, we can apply Lemma 10. 

Lemma 11. Let h : F" x F^ ^ F"* he a full-rank bilinear function. There 
exists an efficiently computable random mapping Gh '■ F" F^ x which, 
for a uniformly chosen input r outputs a uniform random pair y) such that 
£{h{x,y)) = (x,r) for every x. 

Proof. The algorithm implementing Gh first chooses an ^ G uniformly at 
random. For a fixed £, let M be the matrix for which £{h{x,y)) = x'^My, note 
that rank(M) = n. As a second step, the algorithm chooses y as a uniform 
random solution oi My = r, and returns the pair {£, y). For every fixed f if r is 
uniformly distributed; the vector y will be uniformly distributed. Furthermore, 
£{h{x, y)) = x'^ My = x'^r = {x, r). □ 

The next lemma proves the claimed conversion; i.e., given an oracle which 
predicts h{x, y) we implement an oracle which predicts {x, r). For this, on input r 
the algorithm first gets a pair {£,y) using Lemma 11. Then, it queries the given 
oracle O with y, applies £ to the output and returns the result. 

Lemma 12. Let h : F” x F^ ^ F*” be a full-rank bilinear function. There is 
an efficient oracle algorithm A such that for any e > 0, every x G F" and any 
oracle O : F^ F™ which satisfies 

Pr[0(y) = h{x, Y) I 0{Y) ^±]>± + e 

algorithm satisfies 

Pr[A°(i?) = (x,R) \A‘^{R)^±]>- + ^ 

q 2 

and Pr[A®(i?) T] = Vr[0{Y) yf T]. Algorithm A makes one oracle call to O. 

Proof. Given a uniformly chosen r, the algorithm first evaluates the function 
Gh{r) as guaranteed by Lemma 11, to get a uniform pair {£, y) with £{h{x, y)) = 
{x, r). It then queries the oracle with y. In case the answer z is not T it returns 
£{z); otherwise it returns T. 

Let x be fixed such that 

Pr[0{Y) = h{x, Y) I 0{Y) ^±]>± + e. 

q-m 

Lemma 10 implies that 

Pr[L(0(P)) = L{h{x,Y)) I 0{Y) yA > 1 + £. 

q z 

Since {£,y) is uniformly distributed this together with £{h{x,y)) = (x,r) con- 
cludes the proof. □ 
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Lemma 12 can be seen as a reduction of a code to another one, in the sense 
that given a noisy codeword of one code we can generate a noisy codeword of a 
related code such that the Hamming distances to codewords are related in some 
sense. The proofs of Theorems 7 and 8 are now obvious. 

Proof (of Theorems 7 and 8). Use Lemma 12, and apply Theorems 5 and 6, 
respectively. □ 

3.2 Construction of Full-Rank Functions 

As mentioned before, a list-decodable code can be used to obtain a hard-core 
function, which means that a family of full-rank bilinear functions can be used 
as a hard-core function. This is stated in the following proposition (a more exact 
version will be given in Theorem 25, Section 5). 

Proposition 13. Any efficiently computable family of full-rank bilinear func- 
tions h : {0, 1}" X {0, 1}^ ^ {0, 1}*”, where k G poly(n) and m G O(logn) is a 
strong hard-core function. 

The proposition implies that in order to give a hard-core function it is suf- 
ficient to construct a full-rank bilinear function family. In this section, we will 
present constructions which appear in the literature as hard-core functions, and 
show that they satisfy rank(^ oh) = n for every 

As usual in the context of hard-core functions, we will explain the construc- 
tions for vector spaces over {0, 1}. However, all constructions immediately gen- 
eralize to vector spaces over any finite field. 

Recall that any bilinear function h : {0, 1}” x {0, 1}^ ^ {0, 1}™ can be de- 
scribed by a sequence Mi, . . . ,Mm of n x fc matrices over GF(2) as h{x,r) = 
[x^ M\r , . . . , x^Mmr) . It follows that for every £ there exists a non-empty sub- 
set I C {1, . . . ,m} such that the function £o h can be written as £{h{x,r)) = 

In order to get a full-rank bilinear function it is therefore sufficient to give 
matrices Mi , . . . , M^ which satisfy 

rank(y^ Mj) = n for every / yf 0. (2) 

iei 

Example If. In [Lub96] it is shown that O(logn) independent inner product 
bits give a hard-core function. This function h : {0,1}” x {0,1}”’” ^ {O,!}"* is 
defined by matrices Mi, . . . , Mm such that Mi consists of all zeros, except that 
from column n{i — 1) -|- 1 to nz it contains a n x n identity matrix. Here it is 
obvious that (2) is satisfied. 

Example 15. In order to keep the dimension k small, one can obtain a full-rank 
bilinear function h : {0,1}” x {0, !}"■'■’”“ ^ ^ {0, 1}™ with the construction 
given in [GolOl] and [GL89]. There, Mi is a matrix of size nx (n-\-m—l) which 
contains only zeros with the exception of an n x n identity matrix starting at 
column i. Again, it is obvious that (2) holds. 
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Note that since rank(t' o h) cannot be larger than k for any £, it is necessary 
to have k > n. If m is small enough this is indeed sufficient: 

Theorem 16. Let vector spaces {0, 1}”, {0, 1}^ and {0, 1}'" over {0, 1} be given. 
If n < k and m < k, then there exists a full-rank bilinear function h : {0, 1}" x 
{ 0 , 1 }'= ^{ 0 , 1 }™. 

Proof. We first note that it is sufficient to give a full-rank bilinear function 
{0,1}'= X {0, 1}'= ^ {0, 1}'= for every k, since one can first obtain a bilinear 
function {0, 1}'= x {0, 1}'= ^ {0, 1}™ by ignoring some of the output coordinates, 
and in a second step one can get a full-rank bilinear function {0, 1}" x {0,1}'=^ 
{0, 1}*” by setting some of the inputs to the first arguments to zero. 

To construct a full-rank bilinear function h : {0, 1}'= x {0, 1}'= ^ {0, 1}'= we 
observe that the finite field GF(2'=) is a vector space over {0, 1} of dimension k, 
and for every x G GF(2'=) the map gx{i") = x-r is linear. Let z\, . . . , Zk he a, basis 
of GF(2'=) and let Mi be the matrix which describes the linear mapping g^i in 
this basis. Since for any / yf 0 the matrix describes the linear mapping 

gz for some non-zero z G GF(2'=), this map is invertible and thus has rank k. □ 

The bilinear function used in this proof is strongly related to the hard-core 
function given at the end of [GRSOO], and indeed the function given there also 
satisfies the rank condition needed for Theorem 8®. 

4 General Bilinear Functions 

In this section we give a list-decoding algorithm for every (possibly non full- 
rank) bilinear function. Using the same technique as in Section 3.1 we prove the 
following analogue of Theorem 7 (recall that p{h) = 

Theorem 17. Let h : {0, l}”x {0, 1}'= ^ {0, 1}™ be any bilinear function. After 
a preprocessing phase taking time 2*” • poly(fc,n), the function h{x,y) is (li, £)- 
list-decodable with list size 0(^^) and an expected number 0{n-^) of oracle 
calls. The algorithm needs 6e^ as input. 

Note that 6>(j^) is the expected number of queries. For general finite fields 
Theorem 18 holds. 

Theorem 18. Let h : F" x F'= ^ F"* be any bilinear function over F. After 
a preprocessing phase taking time q'^ • poly(n, A:), the function h{x,y) is {6,e)- 
list-decodable with list size p{h) ■ poly(n, k, and an expected number of 

poly(n. A:, oracle calls. The list-decoding algorithm needs Ss as input. 

® The functions are not identical, but if one considers the “cube” given by stacking 
the matrices for different linear maps I, then the functions are obtained from each 
other by a rotation of this cube. It is possible to show that for any two cubes which 
are obtained by rotation from each other, the corresponding function satisfies the 
full-rank condition if and only if the same holds for the other cube. 
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As before we prove these theorems by converting a given oracle O which on 
input y predicts h{x,y) to an oracle O' which on input r predicts {x,r). We use 
Lemma 10 again (and thus Lemma 9), but we modify Lemmas 11 and 12. 

A problem is that for some r it may be impossible to choose a pair {£, y) 
with i(h(x, y)) = {x, r) for every x. This will force our reduction to return _L on 
input r, since there is no way to get a reasonable guess for (x, r) from O. Further- 
more, the pair {£,y) must be uniformly distributed which makes the conversion 
return _L more often. We get the following generalization of Lemma 11: 

Lemma 19. Let h : F” x ^ F'" he a bilinear function. There exists an 
efficiently computable mapping Gh '■ F” (F^ x J§f^)U{_L} which, on uniformly 
distributed input r outputs _L with probability 1 — md otherwise a uniform 
random pair (£,y), satisfying £{h{x,y)) = (x,r) for all x. The algorithm uses a 
precomputation with time complexity q"' • poly(n, k). 



Proof. First, as a precomputation, for every £ G the algorithm calculates 
^rank(^o/i)^ and stores it in such a way that later it is possible to efficiently 
draw an element £ € with probability /5(h), where p{h) = 

After the precomputation, on input r, the algorithm chooses £ according to 
this probability distribution and obtains the matrix M with £{h{x, y)) = x'^ My. 
If the system My = r is solvable, it chooses a solution y uniformly at random 
and returns (£,y); otherwise it returns _L. 

Note that the precomputation can obviously be done in time q™ • poly(n, k) 
and every returned pair (£,y) satisfies £{h{x,y)) = (x,r). 

For a fixed £ and uniformly chosen r, the probability that there exists a y 
such that My = r is g‘'ank(M)-n _ ^rank(^o/i)-n^ Furthermore, conditioned on the 
event that the system above is solvable, every vector y has the same probability. 
This implies that the probability that a fixed pair {£, y) is returned is 



Pr[G,(i?) = (^,y)] 



„n— rank(^o/i) i 

rank(^o/i) — n 

p{h) ■ ■ gfc 



1 

q'^ p{h) ’ 



which is independent of the pair {£, y) . Summing over all possible pairs {£, y) we 
get Pr[G/,(i?) yf T] = l/p{h). □ 



We point out that the probability of Gh not returning T cannot be made any 
higher. To see why, first note that a pair (£,y) can only be the answer for one 
specific input r. Furthermore, there are q^ p{h) possible pairs {£,y), which can 
only be output for y = 0; implying that every pair can occur with probability at 
most q~^ p~^{h). 

Along the same line of reasoning as in Section 3, we can now prove the 
generalized version of Lemma 12. 

Lemma 20. Let h : F” x F^ ^ F™ he a bilinear function. There is an efficient 
oracle algorithm A such that for any e > 0, every x G F” and any oracle O : 
F*^ F™ which satisfies 

Pt[ 0{Y) = h{x, Y) I 0{Y) ^±]>± + e, 

qm 
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algorithm satisfies 

= (x,R) \A‘^{R)^A]>- + ^ 

q Z 

and Pr[^‘^(i?) ^ _L] = j^Vr[0{R) 7^ _L]. The algorithm makes one query 
to O with probability It uses a preprocessing phase with time complexity 

■ poly(n, k). 

Proof. The preprocessing is the one needed for Gh of Lemma 19. On input r, 
the algorithm first uses Gh to obtain either a pair (f, y) or _L. In the second 
case, the algorithm returns _L and does not make an oracle query; this happens 
with probability 1 — If a pair {IjU) is returned, the algorithm makes one 
query z = 0{y). If z yf _L the algorithm returns i{z), otherwise it returns _L. 

We fix £ and x such that Pv[0{Y) = h{x, Y) \ 0{Y) yf _L] > ^+£- Lemma 10 
implies that Pv[L{0{Y)) = L{h{x,Y)) \ 0{Y) yf -L] > ^ + § • Conditioned on 
the event that A makes a query to O the pair (!', y) is uniformly distributed 
and satisfies £{h{x,y)) = {x,r). Also, when A does not make a query to O it 
returns _L. This implies 

Pr[L(C>(r)) = L{h{x,Y)) I 0{Y) yf T] = Pr[A°(i?) = (x,R) \ A^{R) yf T] . 

Finally, we see that A does not return T if both Gh of Lemma 19 and O do not 
return T, which happens with probability ^Pr[0(F)y^T]. □ 

Using this conversion, the proofs of Theorems 17 and 18 are now straightforward. 

Proof (of Theorems 17 and 18). Use Lemma 20 and apply Theorems 5 and 6, 
respectively. 

5 Implications for Hard-Core Functions 

The results of the previous sections have implications in cryptography, namely 
for one-way functions. In particular, under a reasonable complexity-theoretic 
assumption the results allow us to classify basically every bilinear function family 
h : {0,1}” X {0,1}^ ^ {O,!}"* according to whether it is a strong hard-core 
function or not. 

We formulate our results in the context of uniform algorithms, but they 
immediately generalize to a non-uniform context. 

5.1 Weak vs. Strong Hard-Core Functions 

In general, it is easier to construct weak hard-core functions than to construct 
strong ones. For example the identity function h{x) = a; is a weak hard-core 
function for any one-way function / (predicting x given f{x) is the same as 
inverting /), but not a strong hard-core function (given f{x) it is easy to distin- 
guish x from a random value) . 
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For small output values the two notions are equivalent: every weak hard-core 
function h : {0, l}”x{0, 1}^ ^ {0, 1}™ for m G O(logn) is also a strong one. This 
follows from the fact that any distinguisher for such a function can be converted 
to a predictor. More concretely, assume that an oracle O has advantage £ in 
distinguishing h{x, y) from a random value. It is well known that one can get a 
predictor with advantage from O (see for example [Lub96]). The following 
lemma improves this fact by following the idea of Hast that, in cryptographic 
applications, a distinguisher often comes from an algorithm which tries to break 
a scheme; if it succeeds then it is almost certain that the input was not random. 
This can be used to obtain a predictor with lower rate but higher advantage. In 
the following lemma we use this idea since the probability po that a distinguisher 
answers 1 on random input can be very small. By replacing T with a uniform 
random output one obtains the well-known version mentioned above. 

Lemma 21. There exists a randomized oracle algorithm A such that for any 
z G {0, 1}™, oracle O with 



po := Pr[0(C/™) = 1] 



and e defined by 

po(l + e) =Pr[C>(z) = 1], 

algorithm A queries O once and outputs a value from {0, 1}"* U {T} such that 

Pr[H° ^ ±]=po 



and 

Pr[H° = z\A‘^^±] = ^ + 2— £. 

Proof. Algorithm A chooses a uniform random value z' G {0, 1}™. It then queries 
0{z') and outputs z' if the oracle outputs 1. Otherwise, it outputs T. 

The probability that A outputs T is 1 — po • The probability that A outputs z 
is ^(po(l -I- e)) and thus the probability that A outputs z conditioned on the 
event that it does not output T is □ 

As a corollary we obtain the following result: 

Corollary 22. Let h : {0, 1}” x {0, 1}^ ^ {0, 1}™ he a weak hard-core function 
and m G O(logn). Then, h is a strong hard-core function. 

Proof. Assume that h is not a strong hard-core function. Then, there exists an 
algorithm A which on input {f{x),r) can distinguish h(x,r) from a uniform 
random string with non-negligible advantage e. According to Lemma 21 we can 
use this algorithm to obtain an algorithm which predicts the same string with 
success probability at least and thus h is not a weak hard-core function. 

□ 
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5.2 List-Decodable Codes and Weak Hard-Core Functions 



Every list-decodab le code can be used as a weak hard-core function. The idea to 
prove this is to assume that the function h is not a weak hard-core function, and 
to use the algorithm A which predicts h{x,r) given f{x) and r together with 
the list-decoding algorithm to find a list which contains x with probability at 
least 1 / 2 . Applying / to each element of the list and comparing the input we are 
guaranteed to find a preimage of f(x) with high probability. 

In our case, we would like to use the algorithm guaranteed in Theorem 17. 
This algorithm requires to know the product 6e^ , and works as long as the correct 
value is at least as large as the value given to the algorithm. 

Note that the value of x is fixed during a run of algorithm A. Consequently 
such an algorithm can only be successful if the rate 6x and advantage for 
a fixed x is large enough. However, typically only the rate S and advantage e 
averaged over all x is guaranteed to have a certain value. In order to show that 
this is sufficient we first prove that F,[Sx£'x] ^ In the following lemma, it is 
useful to think of Z as an indicator variable which is 1 if the predictor guesses 
correctly; 0 on a wrong guess and T if the predictor refuses to produce a guess. 
The random variable X corresponds to the value of x. 



Lemma 23. Let X he a uniformly distributed random variable over X and let Z 
he some random variable in {0, 1,T}. Let 6 := Pr[Z yf T] and Sx ■= Pr[Z yf T | 
X = x\. Fix any constant c and let e := Pr[Z =1 | Z yf T] — c and £x ■= 
Pr[Z =l\X = xhZ ^ r\-c. Then, 

Proof. First we observe that S = Furthermore we have 

^ Pr[Z = 1] ^ Exex = 1 I A = x] 

Pr[ZyfT] 

_ ^xex + £x) _ 12xex ^x£x 

J2xex J2xex 

and thus £ = 5x£x) / To show that 



P[Sx£x] 



|A| 



^xsi > 



xex 



V|A| 






E 



xGX ^x£x 



xex 



^xGX ^x 




we note that this is equivalent to 



( H H ^^^x) > ( I] SxSx) , 



which follows directly from the Cauchy-Schwarz inequality. 



□ 
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We now show how to use the list-decoding algorithm to invert a function /. 
The following lemma is usually used when / is a one-way function, m G 0(log n) 
and p{h) G poly(n), in which case it states that /i is a weak hard-core function. 

Lemma 24. Let f : {0,1}” ^ {0,1}^ be any efficiently computable function 
family. Let h : {0, 1}” x {0, 1}^ ^ (0, 1}"* be any efficiently computable bilinear 
function with k G poly(n). There exists an oracle algorithm A such that for any 
O : {0, IjP X {0, 1}'= (0, 1}™ U {_L| which satisfies Fr[0{f{X), F) _L] = ,5, 

and Pr[0{f{X),Y) = h{X,Y) | 0{f{X),Y) J-] = ^ -h £, algorithm is 

running in time • poly(n) -I- 2*” • poly(n) and satisfies 

Pr[f{A‘^{f{X)))=f{X)] > 

while making an expected number 0{n-^) of oracle calls to O. Algorithm A 
needs 6e^ as an input. 

If h is a full-rank bilinear function, the term 2*” • poly(n) in the running time 
can be omitted. 

Proof For any fixed x G {0,1}", let := Pr[0(/(x), F) ^ _L] and Ex := 
Pr[0{f{x),Y) = h{x,Y) \ 0(f(x),Y) _L] — Using Lemma 23 we obtain 

Y[5xEx\ > de^. Since 0 < dxS^ < 1 for any x, we can apply Markov’s inequality 
to obtain Fv[5x£\ > ^ds'^] > ^ds^. A run of the algorithm guaranteed in Theo- 
rem 17 with input de^j2 thus gives a set A of size at most ) containing x 

with probability at least \de^ , while doing an expected number 0{n-^) of ora- 
cle calls. Applying / to each x & A and testing if it is correct yields the claimed 
result. □ 

5.3 Bilinear Hard-Core Functions 

Lemma 21 converts a distinguisher to a predictor, while Lemma 24 uses a pre- 
dictor to invert a function. Combining these two lemmas gives the following 
theorem: 

Theorem 25. Let f : {0, 1}” ^ {0, 1}^ be any efficiently computable function. 
Let h : {0, l}”x {0, 1}^ ^ {0, 1}'” be any efficiently computable bilinear function 
with k G poly(n). There exists an oracle algorithm A such that for e, (5 > 0 and 
any O : {0, 1}^ x {0, 1}^ {0, 1} which satisfies 

Pr[0{f{X),R,h{X,R))] =d, and Pi[0{f{X),R,U^)] =<5(1 -ye), 

algorithm A satisfies 

Pr[/(A°(/(A))) = /(A)]>^^ 
and makes an expected number of 
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/7 \92rn 

oracle queries to O. Algorithm A runs in time — poly(n) -I- 2™ poly(n) and 
needs 5e^ as input. 

Proof. Combine Lemma 21 with Lemma 24. □ 

This theorem implies that any bilinear function h : {0, 1}” x {0,1}^=^ {0,1}™ 
with TO G O(logn) and p{h) G poly(n) can be used as a hard-core function. 

Corollary 26. Let h : {0, 1}" x {0, 1}^ ^ (0, 1}™ be a bilinear function with 
m G O(logn) and p{h) G poly(n). Then h is a strong hard-core function. 

Proof. Assume otherwise and use Theorem 25 to arrive at a contradiction. □ 

5.4 Bilinear Functions not Suitable as Hard-Core Functions 

In this section we also consider bilinear functions /i : {0, 1}" x {0,1}'= ^{0,1}™ 
for which m ^ O(logn) or p{h) ^ poly(n). One can show that to ^ O(logn) 
implies the existence of a function to G u;(logn) which is infinitely often smaller 
than TO. Analogously, p{h) poly(n) implies the existence of a function p which 
is strictly superpolynomial (i.e., log(p) G w(logn)) and infinitely often smaller 
than p(K). We say that a hard-core function is regular if to G O(logn) or a 
polynomial time computable function to as above exists; and p G poly(n) or a 
polynomial time computable p as above exists. 

We show that any regular bilinear function not satisfying the conditions of 
Corollary 26 is not a hard-core function if some reasonable complexity-theoretic 
assumption holds, namely the existence of a one-way permutation with expo- 
nential security. 

Definition 27 (Very strong one-way permutation).^ A family of polyno- 
mial time computable functions f : {0, 1}” ^ {0, 1}" is a very strong one-way 
permutation if there exists a constant c > 0, such that for every algorithm A 
with running time at most 2°”, the inverting probability Pr[/(A(/(A))) = f{X)] 
is at most 2“'=” for all but finitely many n. 

Proving that no such functions exist would be a breakthrough in complexity 
theory. Furthermore, Gennaro and Trevisan show in [GTOO] that in relativized 
worlds such functions exist, and thus our results exclude a relativizing hard- 
core result for any bilinear function which does not satisfy the conditions of 
Corollary 26 unconditionally. 

As a first step, we show that it is impossible to use a bilinear function to 
extract w(log n) hard bits from x. Such a lemma was already hinted at in [GL89] . 

Lemma 28. Let h : {0, 1}” x {0, 1}'= ^ {0, 1}™ be a regular bilinear function 
with m ^ O(logn). Lf a very strong one-way permutation exists, then h is not a 
strong hard-core function. 

^ We use permutations for the sake of simplicity. It is easy to see that arbitrary one-way 
functions with exponential security suffice to prove Theorem 30. 
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Proof. Since m ^ 0(log n) and h is regular, there exists a polynomial-time com- 
putable function to G u;(logn) with m{ri) < m(ji) for infinitely many n. 

We define a one-way function / : {0, 1}" ^ {0, 1}” for which it is easy to 
give a distinguisher for h{x, r). For this purpose, let g : {0, l}™/^ ^ {0, 1}"*/^ be 
a very strong one-way permutation. On input x G {0, 1}”, split the input x into 
two parts, xi G {0, and X 2 G {0, The output of / is then g{xi) 

concatenated with X 2 - We see that / is a one-way function, since an algorithm A 
which inverts / in poly(n)-time with non-negligible success probability can be 
used to invert g in time with probability for infinitely many n. 

Furthermore, for any n with fh(n) < m(n) it is easy to distinguish h{x, r) 
from a random string, given f{x) and r. First, we find X 2 from f{x). Since 
h{x,r) = x'^ Mr we see that for fixed X 2 and r only a subspace of dimension at 
most to/ 2 is possible as output value for h(a;, r). Also, it is easy to check whether 
a given value is within this subspace or not. Since a random value will be in the 
subspace with probability at most 2“™/^, h cannot be a hard-core function. □ 

Using basically the same technique, we can now show that only functions 
with nearly full rank can be used as hard-core functions. 

Lemma 29. Let h : {0, 1}” x {0, 1}^’ ^ {0, 1}'" he a regular bilinear function 
with TO G O(logn) and p{h) ^ poly(n). If a very strong one-way permutation 
exists, then h is not a strong hard-core function. 

Proof. Since h is regular and p{h) ^ poly(n), there exists a function p such that 
log(/5) G w(logn) and p{n) < p{h){n) for infinitely many n. 

As in the proof of Lemma 28, we construct a one-way function / : {0,1}” ^ 
{0, 1}" by embedding a preimage of size {0, 1 }*°s(p("))/ 2 to a very strong one- 
way permutation g. Consider an n for which p(n) < p{h)(n). For such an n it 
is easy to find a linear map to embed the preimage to g such that for some 
t G the value of £{h{x,y)) does not depend on the input to g. As in the 
proof of Lemma 28 it follows immediately that / is a one-way function, and 
since £{h{x,y)) only depends on a part of x which can be found by a linear 
transformation of the output, h cannot be a hard-core function. □ 

Together, this implies the following theorem. 

Theorem 30. Let h : {0, 1}” x {0, 1}^ ^ (0, 1}™ he a regular bilinear function, 
and assume the existence of a very strong one-way permutation. Then h is a 
strong hard-core function if and only if p{h) G poly(n) and m G O(logn). 

Proof. If p{h) G poly(n) and m G O(logn), then /i is a hard-core function 
according to Corollary 26. If to G O(logn) and p{h) ^ poly(n), then h is not 
a hard-core function according to Lemma 29. If to ^ O(logn) then h is not a 
hard-core function according to Lemma 28. □ 
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Abstract. Many cryptographic primitives begin with parameter gener- 
ation, which picks a primitive from a family. Such generation can use pub- 
lic coins (e.g., in the discrete-logarithm-based case) or secret coins (e.g., 
in the factoring-based case). We study the relationship between public- 
coin and secret-coin collision-resistant hash function families (CRHFs). 
Specifically, we demonstrate that: 

— there is a lack of attention to the distinction between secret-coin 
and public-coin definitions in the literature, which has led to some 
problems in the case of CRHFs; 

— in some cases, public-coin CRHFs can be built out of secret-coin 
CRHFs; 

— the distinction between the two notions is meaningful, because in 
general secret-coin CRHFs are unlikely to imply public-coin CRHFs. 

The last statement above is our main result, which states that there is no 
black-box reduction from public-coin CRHFs to secret-coin CRHFs. Our 
proof for this result, while employing oracle separations, uses a novel ap- 
proach, which demonstrates that there is no black-box reduction without 
demonstrating that there is no relativizing reduction. 

1 Introduction 

1.1 Background 

Collision-Resistant Hashing. Collision-resistant (CR) hashing is one of the 
earliest primitives of modern cryptography, finding its first uses in digital signa- 
tures [Rab78,Rab79] and Merkle trees [Mer82,Mer89]. A hash function, of course, 
maps (potentially long) inputs to short outputs. Informally, a hash function is 
collision-resistant if it is infeasible to find two inputs that map to the same 
output. 

It is easy to see there is no meaningful way to formalize the notion of collision- 
resistance for a single fixed-output-length hash function. Indeed, at least half of 
the 2^®^ possible 161-bit inputs to SHA-1 [NIS95] have collisions (because SHA-1 
has 160-bit outputs). Hence, an algorithm finding collisions for SHA-1 is quite 
simple: it just has, hardwired in it, two 161-bit strings that collide. It exists, 
even if no one currently knows how to write it down. 

M. Franklin (Ed.): CRYPTO 2004, LNCS 3152, pp. 92-105, 2004. 

@ International Association for Cryptologic Research 2004 
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Due to this simple observation, formal definitions of collision-resistant hash- 
ing (first given by Damgard [Dam87]) usually speak of collision-resistant function 
families (CRHFs)^. A hash function family is collision-resistant if any adversary, 
given a function chosen randomly from the family, is unable to output a collision 
for it. 

How to Choose from a Family? Most definitions of CRHFs do not dwell on 
the issue of how a hash function is to be chosen from a family. In this paper, we 
point out that this aspect of the definition is crucial. Indeed, in any application 
of collision-resistant hashing, some party P must choose a function from the 
family by dipping some random coins to produce the function description. As 
we demonstrate, it is important to distinguish between two cases. In the public- 
coin case these random coins can be revealed as part of the function description. 
In the secret-coin case, on the other hand, knowledge of the random coins may 
allow one to find collisions, and thus P must keep the coins secret after the 
description is produced. (For examples of both cases, see Section 2.) We note 
that the original definition of [Dam87] is secret-coin, and that the secret-coin 
definition is more general: clearly, a public-coin CRHF will also work if one 
chooses to keep the coins secret. 

1.2 Initial Observations 

Importance of the Distinction. The distinction between public-coin and 
secret-coin CRHFs is commonly overlooked. Some works modify the secret-coin 
definition of [Dam87] to a public-coin definition, without explicitly mentioning 
the change (e.g., [BR97,Sim98]). Some definitions (e.g., [MirOl]) are ambiguous 
on this point. This state of affairs leads to confusion and potential problems, as 
discussed in three examples below. 

Example 1. Some applications use the wrong definition of CRHF. For in- 
stance, in Zero-Knowledge Sets of Micali, Rabin and Kilian [MRK03], the 
prover uses a hash function to commit to a set. The hash function is chosen 
via a shared random string, which is necessary because the prover cannot be 
trusted to choose his own hash function (since a dishonest prover could ben- 
efit from finding collisions), and interaction with the verifier is not allowed at 
the commit stage (indeed, the prover does not yet know who the verifier(s) 
will be). In such a setting, one cannot use secret-coin CRHFs (however, in 
an apparent oversight, [MRK03] defines only secret-coin CRHFs). A clear 
distinction between public-coin and secret-coin CRHFs would make it easier 
to precisely state the assumptions needed in such protocols. 

Example 2. The result of Simon [Sim98] seems to claim less than the proof 
implies. Namely, the [Sim98] theorem that one-way permutations are unlikely 
to imply CRHFs is stated only for public-coin CRHFs, because that is the 

^ It is possible to define a single hash function (with variable output-length; cf. previous 
paragraph) instead of a collection of them. In this case, it can be collision-resistant 
only against a uniform adversary. 




94 



Chun- Yuan Hsiao and Leonid Reyzin 



definition [Sim98] uses. It appears to hold also for secret-coin CRHFs, but 
this requires re-examining the proof. Such re-examination could be avoided 
had the definitional confusion been resolved. 

Example 3. The original result of Goldwasser and Kalai [GKOS] on the 
security of the Fiat-Shamir transform without random oracles has a gap 
due to the different notions of GRHF (the gap was subsequently closed, 
see below). Essentially, the work first shows that if no secret-coin GRHFs 
exist, then the Fiat-Shamir transform can never work. It then proceeds to 
show, in a sophisticated argument, that if public-coin GRHFs exist, then it 
is possible to construct a secure identification scheme for which the Fiat- 
Shamir transform always results in an insecure signature scheme. This gap 
in the result would be more apparent with proper definitions. 

Let us elaborate on the third example, as it was the motivating example for our 
work. It is not obvious how to modify the [GKOS] proof to cover the case when 
secret-coin GRHFs exist, but public-coin ones do not. Very recently, Goldwasser 
and Kalai [GK] closed this gap by modifying the identification scheme of the 
second case to show that the Fiat-Shamir transform is insecure if secret-coin 
(rather than public-coin) GRHFs exist. Briefly, the modification is to let the 
honest prover choose the hash function during key generation (instead of the 
public-coin Fiat-Shamir verifier choosing it during the interaction, as in the 
earlier version). 

Despite the quick resolution of this particular gap, it and other examples 
above demonstrate the importance of distinguishing between the two types of 
collision-resistant hashing. Of course, it is conceivable that the two types are 
equivalent, and the distinction between them is without a difference. We there- 
fore set out to discover whether the distinction between public-coin and secret- 
coin hashing is real, i.e., whether it is possible that public-coin GRHFs do not 
exist, but secret-coin GRHFs do. 

1.3 Our Results 

Recall that public-coin hashing trivially implies secret-coin hashing. We prove 
the following results: 

1. Dense^ secret-coin GRHFs imply public-coin GRHFs; but 

2. There is no black-box reduction from secret-coin GRHFs to public-coin 
GRHFs. 

The first result is quite simple. The second, which is more involved, is obtained by 
constructing oracles that separate secret-coin GRHFs from public-coin GRHFs. 
Our technique for this oracle separation is different from previous separations 
(such as [IR89,Sim98,GKM+00,GMR01,GHL02]), as explained below. We note 
that our second result, as most oracle separations, applies only to uniform ad- 
versaries (a notable exception to this is [GTOO]). 

^ A CRHF is dense if a noticeable subset of all keys of a particular length is secure; 
see Section 3. 
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Our results suggest that a gap between secret-coin and public-coin CRHFs 
exists, but only if no dense secret-coin CRHFs exist. They highlight the impor- 
tance of distinguishing between the two definitions of CRHFs. 

In addition to these main results, Section 5 addresses secret vs. public coins 
in other cryptographic primitives. 

1.4 On Oracle Separations 

Usually when one constructs a cryptographic primitive P (e.g., a pseudorandom 
generator [BM84]) out of another cryptographic primitive Q (e.g., a one-way 
permutation), P uses Q as a, subroutine, oblivious to how Q implemented. The 
security proof for P usually constructs an adversary for Q using any adversary 
for P as a subroutine. This is known as a “black-box reduction from P to Q.” 

Note that to show that no general reduction from P to Q exists requires 
proving that Q does not exist, which is impossible given the current state of 
knowledge. However, it is often possible to show that no black-box reduction 
from P to Q exists; this is important because most cryptographic reductions are 
black-box. 

The first such statement in cryptography is due to Impagliazzo and 
Rudich [IR89]. Specifically, they constructed an oracle relative to which key 
agreement does not exist, but one-way permutations do. This means that any 
construction of key agreement from one-way permutations does not relativize 
(i.e., does not hold relative to an oracle). Hence no black-box reduction from key 
agreement to one-way permutations is possible, because black-box reductions 
relativize. 

The result of [IR89] was followed by other results about “no black-box 
reduction from P to Q exists,” for a variety of primitives P and Q (e.g., 
[Sim98,GKM+00,GMR01,CHL02]). Most of them, except [GMROl], actually 
proved the slightly stronger statement that no relativizing reduction from P 
to Q exists, by using the technique of constructing an oracle. 

Our proof differs from most others in that it directly proves that no black-box 
reduction exists, without proving that no relativizing reduction exists. We do so 
by constructing different oracles for the construction of P from Q and for the 
security reduction from adversary for P to adversary for Q. This proof technique 
seems more powerful than the one restricted to a single oracle, although it proves 
a slightly weaker result. The weaker result is still interesting, however, because it 
still rules out the most common method of cryptographic reduction. Moreover, 
the stronger proof technique may yield separations that have not been achievable 
before. 

We note that [GMROl] also directly prove that no black-box reduction exists, 
without proving that no relativizing reduction exists. Our approach is different 
from [GMROl], whose approach is to show that for every reduction, there is an 
oracle relative to which this reduction fails. 

For a detailed discussion on black-box reductions, see [RTV04]. All reductions 
in this paper are what they refer to as fully black-box reductions. 
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2 Definitions of Public-Coin and Secret-Coin CRHFs 

Examples. Before we define public-coin and secret-coin hashing formally, con- 
sider the following two example hash function families. The first one, keyed by 
a prime p with a large prime q\{p — 1), and two elements (/, /i S Z* of order g, 
computes Hp^g^hi'ni) = where mi and m 2 are two halves of m (here we 

think of m as an element of Zq x Zq) The second one, keyed by a product n of 
two primes pi = 3 (mod 8), and P 2 = 7 (mod 8) and a value r G Z* , computes 
Hn,r{rn) = mod n 

The first hash function family is secure as long as discrete logarithm is hard. 
Thus, if one publishes the random coins used to generate p, g and h, the hash 
function remain secure (as long as the generation algorithm doesn’t do anything 
esoteric, such as computing ft, as a random power of g). On the other hand, the 
second hash function family is secure based on factoring, and is entirely insecure 
if the factors of n are known. Thus, publishing the random coins used to generate 
Pi and p2 renders the hash function insecure, and the coins must be kept secret®. 

Definitions. We say that a function is negligible if it vanishes faster than any 
inverse polynomial. We let PPTM stand for a probabilistic polynomial-time Tur- 
ing machine. We use M’ to denote an oracle Turing machine, and to denote 
M instantiated with oracle A. 

Let k be the security parameter, and let f be a (length) function that does 
not expand or shrink its input more than a polynomial amount. Below we de- 
fine two kinds of CRHFs: namely, secret-coin and public-coin. The secret-coin 
CRHFs definition is originally due to Damgard [Dam87], and the definition here 
is adapted from [Rus95] . 

Definition 1. A Secret-Coin Collision Resistant Hash Family is a eollection 
of functions {ftj}ig/ for some index set I C {0,1}*, where hi : {0, ^ 
{0, and 

1. There exists a PPTM GEN, called the generating algorithm, so that 

GEN(1'=) G n/. 

2. There exists a PPTM EVA, called the function evaluation algorithm, so that 
Wi G I and Wx G {0, EVA(t, x) = hi{x). 

3. For all PPTM ADV, the probability that ADV(t) outputs a pair (x,y) such 
that hi{x) = hi{y) is negligible in k, where the probability is taken over the 
random choices of GEN in generating i and the random choices o/ADV. 

® This family is derived from Pedersen commitments [Ped91]. 

^ This is essentially the construction of [Dam87] based on the claw-free permutations 
of [GMR88]. 

® It should be noted, of course, whether it is secure to publish the coins depends not 
only on the family, but also on the key generating algorithm itself: indeed, the first 
family can be made insecure if the coins are used to generate ft as a power of g, 
rather than pick ft directly. Likewise, the second family could be made secure if it 
were possible to generate n “directly,” without revealing pi and p 2 (we are not aware 
of an algorithm to do so, however). 
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Definition 2. A Public-Coin Collision Resistant Hash Family is a collection of 
functions where hi : {0, ^ {0 , and 

1. A PPTM GEN on input outputs a uniformly distributed string i of length 
k. 

2. There exists a PPTM EVA, called the function evaluation algorithm, so that 

Vi S {0, 1}* and Wx G {0, EVA(i, x) = hi{x). 

3. For all PPTM ADV, the probability that ADV(i) outputs a pair (x,y) such 
that hi{x) = hi{y) is negligible in k, where the probability is taken over the 
random choices of GEN in generating i and the random choices of ADV. 

A pair (x,y) such that hi{x) = hi{y) is called a collision for hi. 

Remarks. The generating algorithm in the public-coin case is trivially satisfied. 
We keep it here for comparison with the secret-coin case. Note that in both 
cases, on security parameter k, GEN outputs a function that maps {0, 
to {0, This may seem restrictive as the hash functions only compress one 

bit. However, it is easy to see that hi can be extended to {0, 1}” for any n, and 
remain collision-resistant with i(k)-hit outputs, by the following construction: 
h*{x) = Aj(. . . h^{h^{h^{xlOX 2 0...oxi(k)+l)oxe(^k)+2)°xe(^k)+3) ■ • where 

Xj denotes the j-th bit of the input string x. 



3 Dense Secret-Coin CRHFs Imply Public-Coin CRHFs 



The notion of dense public-key cryptosystems was introduced by De Santis and 
Persiano in [DP92]. By “dense” they mean that a uniformly distributed string, 
with some noticeable probability, is a secure public key. We adapt the notion of 
denseness in public- key cryptosystems from [DP92] to the context of CRHFs. 
Informally, a d-dense secret-coin CRHF is a secret-coin CRHF with the following 
additional property: if we pick a k-hit string at random, then we have probability 
at least k~'^ of picking an index i for a collision-resistant function®. 

Note that, for example, the factoring-based secret-coin CRHF from Section 2 
is dense, because the proportion of /c-bit integers that are products of two equal- 
length primes is 0{k~^). In fact, we are not aware of any natural examples of 
secret-coin CRHFs that are not dense (artificial examples, however, are easy to 
construct). 

Given a d-dense secret-coin CRHF, if we pick strings of length k at 

random, then with high probability, at least one of them defines a collision- 
resistant hash function. 

Hence, we can build a public-coin CRHF from such dense secret-coin CRHF 
as follows. 

® Confusingly, sometimes the term dense is used to denote a function family where 
each function has a dense domain, e.g., [Hai04]. This is unrelated to our use of the 
term. 
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1. Generate random fc-bit strings, independently. These strings specify 

hash functions hi, h 2 , ■ ■ ■ h^d+i in the secret-coin CRHF (strictly speak- 
ing, some strings may not define functions at all, because they are not pro- 
duced by GEN; however, simply define hi{x) = if EVA(f,a:) does not 
produce an output of length k in the requisite number of steps). 

2. Through the construction described in Section 2, extend the domain of each 
of these function to binary strings of length £{k)k'^~^^ + 1. Let the resulting 
functions be hi, • 

3. On an input x of length £{k)k‘^~^^ + 1, output concatenation of 
hl(x), hl(x), . . . , hl,i+i{x). 

The resulting hash maps binary strings of length £{k)k‘^'^^ -I- 1 to binary 
strings of length £{k)k‘^'^^, and is collision-resistant because at least one of 
hi, hi, ... , is. (If an adversary could find a collision in the resulting hash 

function, then the same collision would work for collision-resistant hash function 
among hl,hl, . . . , immediately leading to a contradiction.) 

The above discussion yields the following theorem. 

Theorem 1. The existence of dense secret-coin CRHF implies the existence of 
public-coin CRHF. 

4 Separating Public-Coin CRHFs 
from Secret-Coin CRHFs 

4.1 Black-Box Reductions 

Impagliazzo and Rudich [IR89] provided an informal definition of black-box re- 
ductions, and Gertner et al. [GKM+00] formalized it. We recall their formaliza- 
tion. 

Definition 3. A black-box reduction from primitive P to primitive Q consists 
of two oracle PPTMs M and Aq satisfying the following two conditions: 

If Q can be implemented, so can P-. VN (not necessarily PPTM) imple- 
menting Q, implements P; and 

If P is broken, so is Q: VAp (not necessarily PPTM) breaking (as an 
implementation of P), Aq’^'^ breaks N (as an implementation of Q). 

The first condition is only a functional requirement; i.e., the term “implement” 
says nothing about security, but merely says an algorithm satisfies the syntax of 
the primitive. 



4.2 The Main Result 

Theorem 2. There is no black-box reduction from public-coin CRHF to secret- 
coin CRHF. 
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Proof. The following proposition is at the heart of our approach: it shows that 
it is sufficient to construct different oracles F and G, such that G is used in the 
implementations, while F and G are used for the adversaries. This is in contrast 
to the single-oracle approach usually taken to prove black-box separations. 

Proposition 1. To show that there is no black-box reduction from public-coin 
collision resistant hashing (P) to secret-coin collision resistant hashing (Q), it 
suffices to construct two oracles F and G such that, 

1. there is an oracle PPTM L such that N = implements secret-coin hash- 
ing; 

2. for all oracle PPTM M , if implements public-coin hashing, then there 
exists a probabilistic polynomial time adversary A such that Ap = finds 
a collision for M^; 

3. there is no oracle PPTM B such that finds a collision for N . 

Proof. To show that there is no black-box reduction from public-coin collision 
resistant hashing (P) to secret-coin collision resistant hashing (Q), we need to 
negate the definition of black-box reduction from Section 2; i.e., we need to show 
that for every oracle PPTMs M and Aq, 

Q can be implemented: 3N that implements Q, and if implements P, 
then 

P can be broken, without breaking Q: 3Ap that breaks (as an imple- 
mentation of P), while Aq^'^ does not break N (as an implementation of 

Q)- 

Recall that “implement” here has only functional meaning. 

The first condition clearly implies that Q can be implemented. The second 
condition also clearly implies that P can be broken: one simply observes that 
, and L is a PPTM; hence, writing is equivalent to writing 
. The third condition implies that P can be broken without breaking Q, 
essentially because Q can never be broken. More precisely, the third condition 
is actually stronger than what we need: all we need is that for each Aq, there is 
Ap that breaks , while Aq’^'^ does not break N . Instead, we will show that 
a single Ap essentially works for all Aq-. namely, Ap = A^, for a fixed oracle 
F and a polynomial-time A. Such Ap breaks M^-, however, as condition 3 in 
the proposition statement implies, Aq^’^ will be unable to break N, because 

Aq^'^ = Aq = B^-^ for some oracle PPTM B. 

Remarks. Note that if the implementation has access to not only G but also 
F, it becomes the usual single-oracle separation. The reason why we do not give 
the implementation access to F is to avoid “self-referencing” when defining F. 
To see this, note that F is the “collision finder” and is defined according to the 
oracles that the implementation has access to^. 

^ Similar concern occurs in [Sim98], where constructing the collision-finder requires 
more careful design. 
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The rest of this section is devoted to constructing such F and G and proving 
that they work. 

4.3 The Oracles F and G 

In constructing F and G, we will use the Borel-Cantelli Lemma (see, e.g., [AG96]), 
which states that if the sum of the probabilities of a sequence of events converges, 
then the probability that infinitely many of these events happen is zero. Formally, 

Lemma 1 (Borel-Cantelli Lemma). Let Bi,B 2 ,... be a sequence of 
events on the same probability space. Then '^^^i'P^[Bn] < oo implies 
Pr[Ar=iV„>fci3n]=0. 

We first construct “random” F (collision-finder) and G (secret-coin hash), 
and then use the above lemma to show that at least one pair of F and G works. 

Intuitively, we want F to break any public-coin hashing but not break some 
secret-coin hashing. More precisely, F will find a collision if it is supplied with 
the coins of the generating algorithm and will refuse to do so without the coins. 

— G consists of two collections of functions {(/ijieN and {/ia}ae{o,i}*j where 
each gi is a random function from {0, 1}* to {0, 1}^*. We will call a binary 
string valid if it is in the range of g, and invalid if not. Each ha is a random 
function from {0, to {0, 1}I“I if a is valid, and is a constant function 

if a is invalid. We will call queries to ha valid (resp. invalid) if a is valid 
(resp. invalid). 

~ F takes a deterministic oracle machine and A as input, and outputs a 
collision of length ^ -F 1 for if satisfies the following conditions. 

1. maps {0, lY+^ to {0, 1}^ 

2. never queries ha for some a not obtained by previously querying g. 
I.e., whenever queries ha, this a is the answer to some g-query that 

has previously asked. 

When both conditions hold, F picks a random x from {0, that has a 
collision, then a random y (yf x) that collides to x (i.e., M^{x) = M^{y)), 
and outputs {x,y). Otherwise F outputs _L. 

Observe that when F outputs {x,y), not only x, but also y is uniformly 
distributed over all points that have a collision. Indeed, let C be the to- 
tal number of points that have a collision, and suppose y has c colli- 
sions {x\,X 2 t ■ ■ ,Xc)' then Pr[y is chosen] = l/cPr[a;i is chosen] = 

llc-{clC) = l/C. 

Remarks. The reason for g being length-doubling is to have a “sparse” function 
family. More specifically, it should be hard to get a value in the range of g without 
applying it. 

As in [Sim98] , there are various ways of constructing F (the collision-finding 
oracle): one can choose a random pair that collides, or a random x then a ran- 
dom y (possibly equal to x) that collides to x. The second construction has the 
advantage, in analysis, that both x and y are uniformly distributed but does 
not always give a “correct” collision, like the first one does. Our F has both 
properties. 
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4.4 Secret-Coin Collision-Resistant Hash Family Based on G 

In this section we construct a secret-coin CRHF. The construction is straight- 
forward given the oracle G: the generating algorithm uses g and the hashing 
uses h. More precisely, on input 1^ the generating algorithm picks a random 
seed r G {0, 1}^ and outputs a = 5 fc(r). The hash function is ha- Note that the 
adversary A (who is trying to find a collision) is given only a but not r. We will 
show that for measure one of oracles F and G, the probability over r and ^’s 
coin tosses that A finds a collision for ha is negligible. Recall that A has access 
to both F and G. 

Define D as the event that A outputs a collision for ha in the following 
experiment: 

r {0, 1}'", a ^ gkir), (x, y) ^ A'"-^{a). 

And in the same experiment, define B as the event that during its computation, 
A queries F on M ■ , where M ■ is some deterministic oracle machine that queries 
its oracle on a preimage of a under gu (i.e., intuitively, M- has r hardwired in it). 
Suppose A’s running time is bounded by k'^ for some constant c. The probability 
that B happens is at most the probability of inverting the random function g^. 
If a has a unique preimage, this is at most the probability that a has two 

or more preimages is at most 1/2^ (because it’s the probability that r collides 
with another value under gk); hence Pr[R] < (k'^ + l)/2^. The probability that 
D happens conditioned on ^B is at most the probability of finding a collision 
for random function ha, which is bounded by Recall that A can be 

randomized. We thus have 

Pr [D] = Pr[R] • Pr[D\B] + Pr[^B] ■ Pr[D\^B] 

f,G,r,A 

< Pr[B] + Pr[D\^B] 

< {k^^ + i)/2'^ + k^y2‘^^ 

< 2k^2^ . 

By the Markov inequality, PrF,G[Prr,yi[D] > • 2fc°/2^] < 1/fc^. Since 

Sfc converges, the Borel-Cantelli lemma implies that for only measure zero 
of F and G , can there be infinitely many k for which event D happens with prob- 
ability (over r and A’s coins) greater than or equal to This implies 

that for measure one of F and G, event D happens with probability (over r and 
A’s coins) smaller than (a negligible function) for all large enough k. 

There are only countably many adversaries A, so we have the following lemma. 

Lemma 2. For measure one of F and G, there is a CRHF using G, which is 
secure against adversaries using G and F. 



4.5 No Public-Coin Collision-Resistant Hash Family Based on G 

In this section we show that any implementation of public-coin hashing using 
oracle G cannot be collision-resistant against adversaries with oracle access to 
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both F and G More precisely, let r G {0, 1}^ be the public randomness used 
by the generating algorithm for a family of hash functions, and let be the 
evaluation algorithm. I.e., is the hash function specified by r. Assume 

that M^{-) = M^{r, •) maps {0, to {0, where t' is a function that 

does not expand or shrink the input by more than a polynomial amount. We 
will show how to find x and y of length £{k) + 1 such that M^{x) = 

An immediate attempt is to query but notice that may 

query ha for arbitrary a which prevents F from finding a collision for us. 
However, these a are likely to be invalid, and hence oracle answers to these 
queries are likely to be 0l“L So we can construct a machine that behaves 
“similar” to but only after getting a from g does it query ha ■ And instead of 
finding collision for M^, we find collision for M^, which can be done by simply 
querying F(MJ, 

Suppose the running time of is bounded by for some constant c > 1. 
Before simulating M^, queries g on all inputs of length smaller than or equal 
to dclogfc. This takes steps. Now simulates step by step, except 
for queries to ha- If a is the answer to one of the queries already asked of G 
(either before the beginning of the simulation or when simulating M^), then 
actually queries ha- Else it returns as the answer to without querying 
ha . 

Now fix r and x. For every the probability, over random G, that M^{x) yf 
M^{x) is at most the probability, over G, that queries ha for some valid a of 
length greater than 8c log k without receiving it from g Consider the very first 
time that makes such a “long” valid query. Let Ug be the number of queries 
to g on inputs longer than 4c log k, and Uh be the number of invalid queries 
to h prior to this point. Then the probability in question is upper bounded by 
k‘^ ■ which is at most 1/fc^'^. For every fixed G and r, call an x “bad” 

if M^{x) yf M^{x). We have 

Ex[Pr[a; is bad]] = Pr[a; is bad] < l/k^'^. 

G X G,fc 

Next, notice that there are at most half of x that have no collisions, and F 
would pick its answer (xp, yp), uniformly, from those points that have a collision. 
So for a fixed G, the probability over F that xp is bad is at most twice the 
probability over random x G {0, that x is bad. Also recall that the 

distribution of yp is the same as xp. So for every M^, 

Ex[Pr[at least one of (a;p,yp) is bad]] < 4 • Ex[Pr[x is bad]]. 

G F 0, X 

If none of (a;p, yp) is bad, this pair would be a collision not only for but also 
for M^. We have 

Pr [(a:p,yp) is not a collision of M^] < 4 Pr [a; is bad] < 4/A:^'^, 



° In fact, only F is needed to find a collision. 

® In particular, those a not obtained by previously querying g. 
Recall that g is length-doubling. 
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then 

Pr[Pr[(a;F, j/f) is not a collision of M ^] > 4/fc'^] < 

F.G r 

Since converges, the Borel-Cantelli lemma implies that for only 

measure zero of F and G, can we have Prr[(xF,yF) is not a collision of M^] > 
A/k‘^ for infinitely many k. In other words, for measure one of F and G, 
Pr^[(a;F,yF) is a collision of M^\ > 4/fc° for all large enough k. There are only 
countably many oracle machines M’ , each of which can be collision resistant for 
only measure zero of F and G. We conclude the following. 

Lemma 3. For measure one of F and G, any implementation of public-coin 
hash function families using G cannot he collision-resistant against adversaries 
using F. 

This concludes the proof of Theorem 2. 



5 Public Coins vs. Secret Coins for Other Primitives 

Perhaps the lack of attention in the literature to the distinction between secret- 
and public-coin primitives is due, in part, to the fact that this distinction is often 
not meaningful. 

For example, for one-way function families, these two notions are equivalent, 
because a secret-coin one-way function family implies a single one-way function 
(which trivially implies a public-coin one-way function family). Indeed, take 
the generating algorithm g and evaluation algorithm / and define F(r,x) = 
(g{r), fg(r){x)); this is one-way because an adversary who can come up with 
{r',x') such that g{r) = g{r') and fg{r'){x') = fg{r){x) can be directly used to 
invert since fg(^r)(,x ) = fg(^r')(,x ) = f g(^r)(,xf 

On the other hand, for trapdoor permutations (and public-key schemes), 
the notion of public-coin generation is meaningless: indeed the trapdoor (or the 
secret key) must be kept secret. 

However, it seems that this distinction is interesting for some primitives in ad- 
dition to collision-resistant hash functions. The relationships between public-coin 
and secret-coin versions of one-way permutation families and claw-free permuta- 
tion families are unknown^^. In particular, claw-free permutations are related to 
collision-resistant hashing [Dam87,Rus95], which suggests that the distinction 
for claw- free permutations is related to the distinction for CRHFs. 

Acknowledgments. We thank Yael Tauman Kalai for many helpful discus- 
sions, and Ron Rivest for assistance with the history of hashing. Thanks also to 
the anonymous referees for insightful comments. This work was funded in part 
by the National Science Foundation under Grant No. CCR-0311485. 

We believe that the same construction of F and G (up to slight modifications) sepa- 
rates public-coin and secret-coin one-way permutation families. 
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Abstract. We study cryptographic attacks on random Feistel schemes. 
We denote by m the number of plaintext /ciphertext pairs, and by k the 
number of rounds. In their famous paper [3], M. Luby and C. Rackoff have 
completely solved the cases m 2"^^: the schemes are secure against 
all adaptive chosen plaintext attacks (CPA-2) when k > 3 and against 
all adaptive chosen plaintext and chosen ciphertext attacks (CPCA-2) 
when k > 4 (for this second result a proof is given in [9]). 

In this paper we study the cases m ^ 2". We will use the “coefficients 
H technique” of proof to analyze known plaintext attacks (KPA), adap- 
tive or non-adaptive chosen plaitext attacks (CPA-1 and CPA-2) and 
adaptive or non-adaptive chosen plaitext and chosen ciphertext attacks 
(CPCA-1 and CPCA-2). In the first part of this paper, we will show 
that when m ^ 2" the schemes are secure against all KPA when fc > 4, 
against all CPA-2 when k > 5 and against all CPCA-2 attacks when 
k > 6. This solves an open problem of [1], [14], and it improves the result 
of [14] (where more rounds were needed and m was obtained 

instead of m ^ 2"). The number 5 of rounds is minimal since CPA-2 
attacks on 4 rounds are known when m > 0(2"^^) (see [1], [10]). Further- 
more, in all these cases we have always obtained an explicit majoration 
for the distinguishing probability. In the second part of this paper, we 
present some improved generic attacks. For k — 5 rounds, we present a 
KPA with m ~ 2®"/^ and a non-adaptive chosen plaintext attack (CPA- 
1) with m ~ 2". For k > 7 rounds we also show some improved attacks 
against random Feistel generators (with more than one permutation to 
analyze and > 2^" computations). 



1 Introduction 

A “Luby - Rackoff construction with k rounds” , which is also known as a “ran- 
dom Feistel cipher” is a Feistel cipher in which the round functions /i , . . . , /^ 
are independently chosen as truly random functions (see section 2 for precise 
definitions) . 

Since the famous original paper [3] of M. Luby and C. Rackoff, these con- 
structions have inspired a considerable amount of research. In [8] and [14] a 
summary of existing works on this topic is given. 

We will denote by k the number of rounds and by n the integer such that 
the Feistel cipher is a permutation of 2n bits ^ 2n bits. In [3] it was proved 

M. Franklin (Ed.): CRYPTO 2004, LNCS 3152, pp. 106-122, 2004. 
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that when fc > 3 these Feistel ciphers are secure against all adaptative chosen 
plaintext attacks (CPA-2) when the number of queries (i.e. plaintext /ciphertext 
pairs obtained) is m ^ 2"/2. Moreover when fc > 4 they are secure against all 
adaptative chosen plaintext and chosen ciphertext attacks (CPCA-2) when the 
number of queries is m <C 2”/^ (a proof of this second result is given in [9]). 

These results are valid if the adversary has unbounded computing power as 
long as he does only m queries. 

These results can be applied in two different ways: directly using k truly 
random functions (that requires significant storage), or in a hybrid 

setting, in which instead of using k truly random functions /i, . . . , /fc, we use k 
pseudo-random functions. These two ways are both interesting for cryptography. 
The first way gives “locally random permutations” where we have proofs of 
security without any unproven hypothesis (but we need a lot of storage), and the 
second way gives constructions for block encryption schemes where the security 
can be relied on a pseudo-random number generator, or on any one-way function. 

In this paper, we will study security when m <C 2", instead of m <C 2”/^ 
for the original paper of M. Luby and C. Rackoff. For this we must have k > 5, 
since for A: < 4 some CPA-2 attacks when m > 0(2”/^) exist (see [1], [10]). 
Moreover the bound m ^ 2" is the larger bound that we can get, since an 
adversary with unlimited computing power can always distinguish a fc-round 
random Feistel scheme from a random permutation with 0{k ■ 2”) queries and 
0(2^”^ ) computations by simply guessing all the round functions (it is also 
possible to do less computing with the same number of queries by using collisions, 
see [13]). 

The bound m <C 2”/^ is called the ‘birthday bound’, i.e. it is about the square 
root of the optimal bound against an adversary with unbounded computing 
power. In [1] W. Aiello and R. Venkatesan have found a construction of locally 
random functions (‘Benes’) where the optimal bound (m ^ 2”) is obtained 
instead of the birthday bound. However here the functions are not permutations. 
Similarly, in [4] , U. Maurer has found some other construction of locally random 
functions (not permutations) where he can get as close as wanted to the optimal 
bound (i.e. m <C and for all e > 0 he has a construction). In [8] the 

security of unbalanced Feistel schemes is studied and a security proof in 
is obtained, instead of 2"/^, but for much larger round functions (from 2n bits 
to e bits, instead of n bits to n bits) . This bound is basically again the birthday 
bound for these functions. 

In this paper we will show that 5-round random Feistel schemes resist all 
CPA-2 attacks when m <C 2” and that 6-round random Feistel schemes resist all 
CPCA-2 attacks when m ^ 2”. Here we are very near the optimal bound, and we 
have permutations. This solves an open problem of [1], [10]. It also significantly 
improves the results of [6] in which the 2” security is only obtained when the 
number of rounds tends to infinity, and the result of [14] where 2”^^“'’^ security 
was proved for CPA-2 after 7 rounds (instead of 5 here) and for CPCA-2 after 10 
rounds (instead of 6 here). Moreover we will obtain in this paper some explicit 
and simple majorations for the distinguishing probabilities. We will also present 
some improved generic attacks. All these results are summarized in appendix A. 
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2 Notations 

General notations 

— In = {0, 1}" denotes the set of the 2” binary strings of length n. |/„| = 2”. 

— The set of all functions from /„ to /„ is Fn- Thus |F„| = 2”'^ . 

— For any f,g€ Fn, fog denotes the usual composition of functions. 

— For any a,b G [a, 5] will be the string of length 2n of l 2 n which is the 

concatenation of a and b. 

— For a, 6 G o 0 6 stands for bit by bit exclusive or of a and b. 

— Let /i be a function of F„. Let L, R, S and T be four n-bit strings in 
Then by definition 

ns,)\L.R\-[s.T] n 

-- Let fi, f 2 , ■ ■ ■ , fk be k functions of F„. Then by definition: 

..,fk)= nfk) o • • • O F{h) O F{h). 

The permutation , fk) is called a ‘Feistel scheme with k rounds’ 

or shortly . When fi, . . . , fk are randomly and independently chosen in Fn, 
then F^{fi, . . . , fk) is called a ‘random Feistel scheme with k rounds’ or a ‘Luby- 
Rackoff construction with k rounds’. 

We will first study 4 rounds (with some limitations on the inputs/outputs), 
then prove our cryptographic results by adding one or two rounds. 

Notations for 4 rounds 

• We will denote by [Li,Ri], 1 < i < m, the m cleartexts. These cleartexts 
can be assumed to be pairwise distinct, i.e. i j ^ Li ^ Lj or Ri yf Rj. 

• We call “index” any integer between 1 and m. 

• [Ri,Xi] is the output after one round, i.e. 



Vi, 1 < f < m, W = Li 0 fi{Ri). 
• [Xi,Yi] is the output after two rounds, i.e. 



yi,l < i < m,Yi = Ri ® f 2 {Xt) = R* 0 / 2 (L* 0 fi{Ri))- 



• \Yi, S'!] is the output after three rounds, i.e. 



\h,l<i<m,S, = X,(B h{Yi) = Li(B fl{R^) 0 fsiYi). 



• [Si,Ti] is the output after 4 rounds, i.e. 



Vf, 1 < f < m,Tj = Fj 0 f4{St). 



Notations for 5 rounds. We keep the same notations for Lj, Ri, Xi, Yi. Now 
= X,^ ® fsiY^), and [Si,Ti] is still the output: S'* = Fi 0 f 4 ,{Zi) and Ti = 

0 h{s^). 
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Part I: Security Results 

3 The General Proof Strategy 

We will first study the properties of 4-round schemes. Our result on 4-round 
schemes for proving KPA security will be: 

Theorem 3.1 (4 rounds) For random values [Li,Ri], [Si,Ti], 1 < i < m, 
such that the [Li, Ri], 1 < i < m, are pairwise distinct, with probability >1-/3 
we have: 

1. the number H of (/i, / 2 , /s, /r) € such that Vi, 1 < i < m, 

f'"(/l,/2,/3,/4)[G,i?d = [5„r.] 

satisfies: 

IP’ 1"^ 

H> y^(l-a). 

2. a and j3 can be chosen <C 1 when m <C 2”. 

For 5 rounds, we will have: 

Theorem 3.2 (5 rounds) There are some values a > 0 and (3 > 0 and there 
is a subset E C such that: 

1. for all pairwise distinct [Li,Ri], \ < i < m, and for all sequences [Si,Ti], 
1 < i < m, of E the number FI of (/i, / 2 , /s, A, /s) V F^ such that Vi, 
1 < i < TO, 

T^{fi,f2,f3j4,h)[Li,R^] = [S,,R] 

satisfies: 

\F 1^ 

— 22nm '' ^ 

2. \E\ > (1 — /3) • 2^”™, and a and (3 can be chosen <C 1 when m <C 
Ve > 0. 

Remark 

1. Here the set E does not depend on the [Li,Ri], and it will give security 
against CPA-2. If E depends on the [Li, Ri], we will obtain security against 
CPA-1 only. 

2. Instead of fixing a set E, as in theorem 3.2, we can formulate a similar 
theorem in term of expectancy of the deviation of H from the average value 
(see[15]: there is a formulation for CPA-1 and another for CPA-2). From 
these formulas we will get security when to <C 2". 



For 6 rounds, we will have: 
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Theorem 3.3 (6 rounds) There are some values a > 0 and /? > 0 and there 
is a subset E C T^"^ such that: 

1. for all [Li,R^,S^,Ti], 1 < i < m, of E, the number H of {fi, f 2 , h, fi, fb, 
fe) G -F® such that Vi, 1 < i < m, 

/2, /3, h, /5, k)[L^, F,] = [Si, R] 



satisfies: 



H > 



\Fn\^ 

^2nm 



(1 - a). 



2. For all super distinguishing circuit <F with m oracle gates, the probability that 
[Li, Ri, Si, Ti]{<E), 1 < i < m, be in E is >1 — (3, when <P acts on a random 
permutation f of l 2 n hn (here [Li, Ri, Si,Ti]{(l^), 1 < i < m, denotes the 
successive [Si,Ti] = f[Li,Ri] or [Li,Ri] = f~"^[Si,Ti], 1 < i < m, that will 
appear). 

3. a and (3 can be chosen <C 1 when m <C 2”. 



Now from these theorems and from the general “coefficients H technique” 
theorems given in [ 11 ], [ 12 ], we will get immediately that when m 2 ”, is 
secure against all KPA, F® against all CPA-2 and F® against all CPCA-2. 



4 Circles 

One of the terms of the the deviation of from random permutations will be 
the probability to get “circles” in the variables, as we will explain below. 

Definition. We will say that we have ‘a circle in R, X, Y’ if there are k indices 
ii, . . . ,ik with k > 3 and such that: 

1 . A, Z 2 , . . . , ik-i are pairwise distinct and ik = ii. 

2. VA, l<A<fc — 2we have at least one of the three following conditions: 

• Fi^ = Rix+i ^nd {Xix^,^ = Xix^,^ or Yi^^,^ = lix+ 2 ) 
or • A,,, = and = Ri^+^ or = Yi^^J 

or • Yi^ = Yi^^^ and {Ri^^^ = R^x+^ or = Xi^^J 

Example. If i?i = R 2 and Ai = A 2 , then we have a circle in R, X, Y. If = R 2 , 
A 2 = A 3 , I 3 = Yi then we have a circle in R, X, Y. 

We will prove the following theorems. 

Theorem 4.1 (For 4 rounds) When [Li, Ri], 1 < i < m, are pairwise distinct 
and randomly chosen, the probability p to obtain a circle in R, X, Y with at least 
one equation in Y when /i ,/2 are randomly chosen in F„ satisfies: 

3mf 3m^ 1 

P < 



2 • 22 " 



23 " 1 



2m ' 

2n 
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Theorem 4.2 (For 5 rounds) For all pairwise distinct [Li,Ri], 1 < i < m 
and for all value X, such that A > 0 and 2mVX < 2”, we have: the probability p 
to obtain a circle in X, Y, Z with at least one equation Zi = Zj when /i,/ 2,/3 
are randomly chosen in satisfies: 

1 m{m — 1) m{m — l){m — 2) AXm"^ 1 

^ “ A 2 • 22" 23" 2^" 1 _ 2mVA ■ 

r 2" 

Corollary 4.1 From this theorem 4-2 we get immediately that if m 2”, then 
(X can be chosen such that), p is very small. So when m <C 2”, the probability 
to have a circle in X , Y, Z with at least one equation Z^ = Zj is negligible. 

Remark. In [15] we show that the condition ‘with at least one equation Zi = Zj' 
is important: sometime we cannot avoid some circles in X, Y . 

With 6 rounds, we can get a simpler formula: 

Theorem 4.3 (For 6 rounds) For all [Li,Ri], 1 < i < m (such that i ^ j ^ 
Li yf Lj or Ri yf Rj), the probability p to obtain a circle in X, Y, Z with at 
least one equation in Z when fi, f 2 , fs, f 4 are randomly chosen in Fn satisfies: 

^ ^ 3to^ ^ llm^ 1 
P — 22 " 23 " 1 — Lul ' 

Proof of theorem 4.1, 4.2, 4.3 are given in the extended version of this paper 
([15]). A basic tool for these proofs is: 

Theorem 4.4 VA > 0, for all pairwise distinct [Li,Ri], 1 < i < m, when fi 
is randomly chosen in we have a probability > 1 — y that the number N of 
(i,j), i < j/Xi = Xj satisfies: 



N < 



Xm(jn — 1) 
2 • 2 " 



Proof. This result comes immediately from this lemma: 

Lemma 4.1 For all [Li, Ri], 1 < i < m, (such that i ^ j ^ Li ^ LjorRi yf Rj) 
the number of {fi,i,j) such that Xi = Xj, i < j, is < \Fn\ • • 

Proof of lemma 4.1. Xi = Xj means Li 0 fi{Ri) = Lj 0 fi{Rj). This implies 
Ri yf Rj (because Li = Lj and Ri = Rj ^ i = j). Thus, when (z, j) is fixed, 
the number of fi such that Xi = Xj is exactly if Ri yf Rj, and exactly 0 if 
Ri = Rj. Therefore, since we have at most m{m — l)/2 values (z, j), z < j/Ri yf 
Rj, the total number of {fi,i,j) such that Xi = Xj is < |fii| claimed. 
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5 Properties of H with 4 Rounds 

We give here the main ideas. See the extended version of this paper for more 
details ([15]). We will first prove that if the [Yi, S'i] are given, 1 < z < m, (i.e. the 
output after 3 rounds), then the Si variables will look random as long as m <C 2" 
(but the Yi variables will not look random in general). Then, with one more 
round and the same argument, we will obtain that the [Si, Ti] variables will look 
random as long as m ^ 2”. We want to evaluate the number H oi fi, f 2 , /a such 
that: Vz, 1 < z < TO, S'* = Li0/i(i?d®/3(l») with Yi = i?*©/ 2 (T*®/i(i?*)) (1). 



Remarks 

1. If Yi = Yj with i ^ j, then Si ^ Sj. So the Si variables are not perfectly 
random in /„ when the Yi are given. However, here we just say that the 
[Yi, S'i] must be pairwise distinct, since is a permutation. 

2. If Si is a constant (Vz, 1 < z < to, S'z = 0 for example), then all the Yi 

variables must be pairwise distinct, and in (1) /s is then fixed on exactly 
TO points. However the probability for /i , /2 to be such that all the Yi are 
pairwise distinct is very small. So in this case H . 

3. Let us consider that instead of (1) we had to evaluate the number J of 

fi,h, /a such that Vz, 1 < z < to. S'* = /a(h*) with Yi = ii* © / 2 (L* © /i(i?*)) 
(i.e. here we do not have the term Li © fi(Ri)). Then, for random Li,Ri 
and for random fi, f 2 , f 3 , we will have about 2 times more collisions Si = Sj 
compared with a random variable Si. So if Si is random, J <C 2 nm in this 
case. For (1) we will prove (among other results) that, unlike here for J, 
when the Si are random, we always have H ~ "j, . 

Analysis of (1). (In appendix B an example is given on what we do here) We 
will consider that all the Yi are given (as well as the Li,Ri,Si), and we want 
to study how H can depend on the values Si. If H has almost always the same 
value for all the Si, then (by summation on all the Yi) we will get H ~ , and 

for all [Li, Ri] the Si will look random, as wanted, when fi, / 2 , /a are randomly 
chosen in F„ (this is an indirect way to evaluate H). 

In (I), when we have a new value Yi, whatever Si is, /s is exactly fixed 
on this point 1) by (1). However if Yi is not a new value, we have Yi = Yj ^ 
Li(Bfi{Ri) = Lj © fi {Rj )(BSi(BSj. For each equation Yi = Yj, we will introduce 
a value ^k{i,j) = Si (B Sj. We want to evaluate the number H' of (/i,/ 2 ) such 
that: Vz, 1 < z < TO, / 2 (Li © fi{Ri)) = Ri®Yi (2). 

We will fix the points (z, j) where W = Xj, i.e. we look for solutions (/i, / 2 ) 
such that Xi = Xj exactly on these (i,j), and, again, we want to evaluate how 
the number H' of (/i, / 2 ) can depend on the values Si (i.e. on the values Afe). 

We will group the equations (2) by the same fi{Ri), i.e. by “blocks in 
R, X, Y” : two indices z and j are in the same block if we can go from z to j 
by equations Rk = Ri, or Xk = Xi, or Yk = Yi (Since Xk = Xi ^ fi{Rk) = 
fi{Ri)® Lk® Li and Yk = Yi ^ fi(Rk) = /i(i?/) © Tfe © L; © Afc(jj), from these 
relations, we can replace the variable fi{Rk) by the variable fi{Ri) instead). 
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Finally, the only dependencies on the Afc come when we want to evaluate the 
number H" of fi such that: Vi, 1 < t < a, Xi are pairwise distinct, where a 
is the number of Xi that we want pairwise distinct (if wanted we can assume 

tt < O since variables with no equation in R,X or Y create no problem). 

Each Xi has an expression like this: Xi = fi{Rj) © Afc © (where L[ is an 
expression in © of some Li values), or like this: Xi = fi{Rj) © L[. This gives a 
number of solutions for fi that depends only of the fact that some equations of 
degree one in the Afc variables are satisfied or not. 

(These equations are Xi © Xj = Xk © Xi where f, j are in the same block 
in R, X, Y and k, I are in the same block in R, X, Y, so these equations can be 
written only the Li and Afc variables). 

Example. In the example given in appendix B, Ai = Li © L4 © L5 © Ty is one 
of these equations, that can be true or not when the Xi values are fixed (here it 
comes from Xi (B X2 (B X5 (B Xr). 

Analysis of the dependencies in the Afc . First, we can notice that if the system has 
no solution due to an incompatibility (for example if we want X\ = fi(Ri) © Li 
and X2 = fi{Ri) © Ai to be distinct) then we have a circle in R,X,Y with at 
least one equation in Y. The probability to get such circles has been evaluated 
in section 4 and is negligible if m ^ 2”. So we will assume that we have no 
incompatibility in the system that says that the Xi variables considered are 
pairwise distinct. Let fa be the number of variables Afc that satisfied at least one 
of these equations among the equations considered for the evaluation of 

fi. Each of the pi special Afc values can have at most a exceptional relations. 
So for a A like this, we have: H < H* (l — ^ . The value (l — ^ can 

be 3> 1, but since we have /i exceptional relations of degree one on pL variables 
Ai, the weight W\ of these A values (i.e. the number of /i, /2, /a that give these 
values multiplied by the number of these values) satisfies: 

W\ < ( 1 ~ ) (we denote by this expression). 

A ^ \ A A 

2 

(since we have < \ possible equations). We have: 

Aic+1 f y + 1) ^ M < about 

2 

So the weight W\ becomes negligible as soon as 2^- 

Remark. If these p. variables Xi generate almost all the possible relations with 
these variables, then the weight of these variables is even smaller since we just 
have to choose these p variables among the a variables and then they are fixed 
(since almost all the equations are satisfied, many of these equations give equiv- 
alent values for the special A^). So we will have a instead of • 
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Finally we have obtain: 

Theorem 5.1 Let T he the set of values that we fix: i.e. in T we have the values 
of the Yi, and all the indices (i,j) where we have all the equations Xi = Xj. Then 
if S and S' are two sequences of values of Iff such that: 

1. Y, = Yj ^ 5, 7 ^ Sj (and S', ^ S'^). 

2. No circle in R, X, Y can he created from the equalities Y, = Yj ^ S,® Sj = 
Xi 0 Xj and Rk = Ri ^ Xk ® Xi = Lk ® Li. 

Then the number Hj: o//i,/ 2,/3 solutions satisfies: 

\H^{S) - H^{S')\ < H^{S) -{q + r) 

2 

where q = comes from the Xi with very few special equalities, and r is a 
very small term related to the weight of the Xi with a lot of special equalities (as 
we have seen r is negligible when m <C 2”/ 

We can do the same for [Si, Tf, as we did for [Yi, 5^]. So, since by summation, 
we must obtain all the (/i,---,/ 4 ) with no circles, from theorem 5.1 we will 
get our results. Here the set E' depends on E, so this works for non-adaptive 
attacks. For adaptive attacks see [15] (then we have to eliminate some equations 
by conditions in [Si,Ti] independently of [Li,Ri], or to study the expectancy of 
the deviation of H). 

Remark. Another possibility is to use the result of [5] : with 2 times more rounds, 
security in CPA-1 can be changed in security in CPCA-2. However we would get 
like this CPCA-2 for 10 rounds (exactly as in [14]) instead of 6 rounds. 

6 Comparing [14] and This Paper 

Technically the main differences between [14] and this paper are: 

1. Here we introduce a condition: no more than indices {i,j), i < j 

such that Xi = Xj (instead of no more than 9 pairwise distinct indices such 
that Xi, = Xi^ = ... = Xig of [14]). this gives us security when m <C 2” 
(instead of m <C or m <C ^ of [14]). 

2. In [14], 3 rounds are needed for half the variables to look random, and then 4 
more rounds for the [S'!, Tf. Here we show that the Si will look random after 
4 rounds even if the Zi are public (with a probability near 1 when m <C 2”). 
So for the Ti we can use the same result with only one more round. Like 
this, we need less rounds in this paper compared with [14]. 

3. In this paper we study Xk that come for from Yi ® Yj = 0 (or similarly 
Zi ® Zj = Q for while in [14] all possible Xk can be fixed. 
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Part II: Best Found Attacks 

7 Generic Attacks on 

We will present here the two best generic attacks that we have found on 

1. A CPA-1 attack on S'® with m ~ 2” and A = 0(2”) computations (This is 
an improvement compared with m ~ 2^"/^ and A = 0(2^"/^) of [13]). 

2. A KPA on if'® with m ~ 2®”/^ and A = 0(2®"/^)computations (This is an 
improvement compared with m ~ 2^”/^ and A = 0(2^”/^) of [13]). 

1. CPA-1 attack on if'®. 

Let us assume that Ri =constant, \/i, 1 < i < m, m 2^^. We will simply 
count the number N of (t, j), i < j such that Si = Sj and Li®Ti = Lj 0 Tj. 
This number N will be about double for S'® compared with a truly random 
permutation. 

Proof: 

If — g. 

Li®Ti = Lj 0 Tj Li (B Zi = Lj 0 Zj fi{Ri) 0 f^fYi) = /i(i?i) 0 fziYj) 
^ fsiRi ® f2{Li 0 /i(i?i))) = fsiRi 0 f2{Lj 0 /i(i?i))) (#). 

This will occur if / 2 (Ti 0 fi{Ri)) = f 2 {Lj 0 fi{Ri)), or if these values are 
distinct but have the same images by /s, so the probability is about two 
times larger. 

Remarks 

(a) By storing the Si\\Li(BTi values and looking for collisions, the complexity 
is in A ~ 0(2”). 

(b) With a single value for Ri, we will get very few collisions. However this 
attack becomes significant if we have a few values Ri and for all these 
values about 2” values Li. 

2. KPA on If'®. 

The CPA attack can immediately be transformed in a KPA: for random 
[Li, Ri], we will simply count the number N of (i, j), i < j such that Ri = Rj, 
Si = Sj, and Lj 0 = Lj 0 Tj. We will get about such collisions 

for iL®, and about for a random permutation. This KPA is efficient 

when mf becomes not negligible compared with 2®”, i.e. when m > about 

<23nj2 



Remark. These attacks are very similar with the attacks on 5-round Feistel 
schemes described by Knudsen (cf [2]) in the case where (unlike us) /2 and 
are permutations (therefore, not random functions). Knudsen attacks are based 
on this theorem: 

Theorem 7.1 (Knudsen, see [2]) Let [Li,i?i] and [L 2 ,i? 2 ] be two inputs of 
a 5-round Feistel scheme, and let [S'i,Ti] and [52, T 2 ] be the outputs. Let us 
assume that the round functions /2 and /s are permutations ( therefore they are 
not random functions of Fn). Then, if Ri = R 2 and Li yf L 2 , it is impossible to 
have simultaneously Si = S 2 and Li 0 L2 = Ti 0 T2- 
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Proof. This comes immediately from (ff) above. 

8 Generic Attacks on Generators, fc > 6 

has always an even signature. This gives an attack in 2^" if we want to dis- 
tinguish from random permutations (see [13]) and if we have all the possible 
cleartext/ciphertext. In this appendix, we will present the best attacks that we 
know when we want to distinguish P^ from random permutations with an even 
signature, or when we do not have exactly all the possible cleartext/ciphertext. 

1. KPA with k even . 

Let (i,j) be two indices, i yf j, such that Ri = Rj and Si 0 Sj = Li (B Lj. 
From [10] or [11] p.l46, we know the exact value of H in this case, when k 
is even. We have: 

H-H - 2 (|-i)n 2(fc-i )" ) 

where 

rr* = 1 

22nm ^ 1 

i.e. H* is the average value of H on two cleartext/ciphertext. So there is a 
small deviation, of about from the average value. 

So in a KPA, when the [Lj, Ri] are chosen at random, and if the /j functions 
are chosen at random, we will get slightly more (t, j), i < j, with Ri = Rj 
and Si 0 Sj = Lj 0 Lj from a P^ (with k even) than from a truly random 
permutation. This can be detected if we have enough cleartext/ciphertext 
pairs from many P^ permutations. In first approximation, these relations 
will act like independent Bernoulli variables (in reality the equations are 
not truly independent, but this is expected to create only a modification of 
second order). 

If we have N possibilities for i < j, and if X is the number of (z,j), 

i < j/Ri = Rj and Si 0 Sj = Lj 0 Lj, we expect to have: 

E{X) 0, ^ 

V{X) cs ^ 

We want cr{X) < ^ k^ 2 )n ' 2 ^ order to distinguish from a random 

permutation. So we want i.e. N > 

2 2T" 

However, if we have /i available permutations, with about 2^” cleartext/ci- 
phertext for each of these permutations, then N ~ 2"^”/i (here we know these 
fx permutations almost on every possible cleartext. If not, /i will be larger 
and we will do more computations). N > gives /i > 2^^“®)". This is 

an attack with permutations and 2^”/x ~ computations. 

2. KPA with k odd . 

In [15], a KPA with k odd is given (it has the same properties as the attack 
above for k even). 
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9 Conclusion 

For a block cipher from 2n bits ^ 2n bits, we generally want to have no better 
attack than attacks with > 2^" computations. If this block cipher is a Feistel 
scheme we then need to have > 6 rounds since (as shown in this paper) there is 
a generic attack on 5 rounds with 2” computations in CPA-1 and 2^”/^ compu- 
tations in KPA. 

In this paper we have also shown that however, in the model where the 
adversaries have unlimited computing power but have access to only m cleart- 
ext/ciphertext pairs, the maximum possible security (i.e. m <C 2") is obtained 
already for 5 rounds for CPA-1 and CPA-2 attacks. This solves an open prob- 
lem of [1] and [14]. Moreover 6-round Feistel schemes can resist all CPCA-1 
and CPCA-2 attacks when m ^ 2” (For CPCA-1 or CPCA-2 the case k = 5 
rounds is still unclear: we only know that the security is between m <C 2"/^ and 
m <C 2”). When 2^” is small (for example to generate 1000 pseudorandom per- 
mutations with an even signature of 30 bits ^ 30 bits) then more than 6 rounds 
are needed. In this paper we have studied such attacks, and we have extended 
the “coefficients H technique” to various cryptographic attacks. 

We think that our proof strategy is very general and should be also efficient in 
the future to study different kinds of functions or permutation generators, such 
as, for example, Feistel schemes with a different group law than 0, or unbalanced 
Feistel schemes. 
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Appendices 

A Summary of the Known Results 
on Random Feistel Schemes 

KPA denotes known plaintext attacks. CPA-1 denotes non-adaptive chosen plain- 
text attacks. CPA-2 denotes adaptive chosen plaintext attacks. CPCA-1 denotes 
non-adaptive chosen plaintext and ciphertext attacks. CPCA-2 denotes adaptive 
chosen plaintext and chosen ciphertext attacks. Non-Homogeneous properties are 
defined in [12]. 

This figure 1 present the best known results against unbounded adversaries 
limited by m oracle queries. 
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Fig. 1. Minimum number m of queries to distinguish from a random permutation 
of In ^ In ‘ For simplicity we denote 2“ for 0(2") i.e. when we have security as long 
as m 2". > means best security proved. 

* < 4 comes from [13] and > 4 comes from [7]. 

** with k even and with (k — 2){k — 4) exceptional equations, so if /c > 7 we need more than 
one permutation for this property. 
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Fig. 2. Minimum number A of computations needed to distinguish a generator 
(with one or many such permutations available) from random permutations with an 
even signature of In ^ In- For simplicity we denote a for 0{a). < means best known 
attack. 

* If fc > 7 these attacks analyze about permutations of the generator and if fc < 6 

only one permutation is needed. 

History for if'® . For S'® the best results of security against CPA-2 was: 

- In 1988: (cf [3]). 

- In 1998: m < 23"/4 (rf [12]). 

- In 2003: m < 2 W 6 [13]). 

- In 2004: m <C 2” (cf this paper). 

However CPCA-2 for is still unclear: so far we only have the original result 
of Luby and Rackoff m ^ 2”/^. 

B Example for Theorem 3.1 

We will illustrate here theorem 3.1 on a small toy example. Let 1,2, 3, 4, 5, 6 , 7 
be our indices (m = 7). Let us assume that /i is fixed such that i ?4 = i?i, 
and i ?7 = i? 5 , are our only equations Ri = Rj i > j. Let us assume that the 
Yi are given, and that Y4 = Y2, and Fy = F3 are the only equations Yi = Yj, 
i > j.Then we want to show that Ai and A 2 look random, where Ai = A 4 0 A 2 
and A 2 = Ay 0 A 3 when /i, /2 are randomly chosen. For this, we fix Ai and A 2 , 
Ai yf 0, A 2 yf 0, and we look for the number H of (/i, / 2 ) that give these values. 
We want to prove that this number H does not depend significantly on Ai and 
A 2 (except for well detected values of small weight). H is the number of (/i, / 2 ) 
such that (here we put only pairwise distinct Ri variables): 

1 . /i( 7 ? 2 ) = ® L 2 ® L 4 0 Ai and /i(i?s) = fiiRs) ® L 3 ® L 7 ® ^2 (these 

two equations do not create any problem: they just fix fi on two points). 

2. Block RiY: 



/2(Li®/i(i?i)) =Ri0Fi 

72(^4 ® Ai 0 /i(i?i)) = i ?2 ® F2 

/2(L4®/l(i?i)) =Ri0F2. 
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Block R^Y : 



/ 2 (i 3 ©/l(i? 3 )) =i? 3 ©i "3 

f 2 {L 3 © L5 0 Ly 0 A2 © fliRs)) = R5 ® Y5 
72(^3 © fliRs) © A2) = J ?5 © 

Block RqY : 



/2(i6©/l(i?6)) =i?6©i"6 

Let us assume that, for example, all the i?i © li are pairwise distinct. Then 
we want to evaluate the number of functions fi such that all the Xi are pairwise 
distinct. These conditions are more difficult to analyze since here we do not want 
equalities, but non equalities. 

— If Ai G { 0 , Li 0 L4}, or A2 G { 0 , L5 0 Ly}, we have no solution (these values 
give a circle in R, X, Y). 

— For the Xi to be pairwise distinct, we must choose /i such that: 0 

/i(i?3) is not in A, where ^ is a set of 9 values (or less if we have collisions): 
A = {Li 0L3, L40 Ai 0L3, L40Z/3, Li 0L30L50Ly0 A2, L40 Ai 0T30L50 

L^ 0 A2, L4 0 L3 0 L5 0 Ly 0 A2, L\ 0 L3 0 A2, L4 0 Ai 0 L3 0 A2, L4 0 L3 0 A2}. 
In the proof of theorem 3 . 1 , we analyze the possible dependencies of |gI| with 
the Xi values. 



C Examples of Unusual Values of H for 



Example 1 : Large value for H 

With TO = 2 , when R4 = R2, Si = S2 and Ly 0 L2 = Ti 0 T2, then 



H = 



\Fn\^ 

Q2nm 




So here the value of H is about double than average with only to = 2 . 



Remark: \/k G N*, has always such large H with small to (to < (| — l)^ if 
k is even), we say that is not homogeneous”: see [ 12 ]. However, when k > 7 , 
the probability that such inputs/outputs exist is generally negligible if we study 
only one single specific permutation. 



Example 2 : Small value for H 

Here our example cannot be with to <SC 2 "/^ since we know that we always 
have 

H > (i _ 

- 22nm 2" / 

(the proof is the same for and <F®). 

However, we will show that when to ^ 2 ”/^, H can be much smaller than 
average (i.e. to ^ 2 ” is not necessary, to ^ 2 ”/^ is enough). In this example 2 , 
we will assume: 
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1- 1 < t < j < m, Ri = Rj (= Ri). 

2. yi,j, ^ < i < j < rn, Si = Sj (= S'!). 

3. Vt, j, 1 < i < j < m, i ^ j ^ Li (B Lj ^ Ti (BTj (in example 3 below we will 

not need this condition 3). 

To get condition 3, we may assume, for example, that \/i, 1 < i < m, Li = 
i © ifii) and Ti = where (p is well chosen. So Li © Lj = Ti(BTj ^ i = j. 
From 1 we have: Vi, j, 1 < i < j < m, Xi (B Xj = Li (B Lj. 

From 2 we have: Vi, j, 1 < i < j < m, Zi (B Zj = Ti (B Tj. 

H is the number of /i, / 2 , /s, fi, /s such that: Vi, 1 < i < to. 



Ti©/i(i?i) 



Ri(Bf2{Li(Bfi{Ri))=Y, 

Xi © fsiY,) = Z, 

Yi © h{Ti © /5(^i)) = 5i 
© h{Si) = T, 

So H is \Fn\^ times the number of / 2 , /a, such that: Vi, 1 < i < to, 

r y, = i?i © /2 (l, 0 /i(i?i)) = © h{Ti © U{Si)) 

\ MYi) = Li(BTi(B h{Ri) © /5(^i) 



Since all the Li®Ti are pairwise distinct, all the Yi must be pairwise distinct. 
So for y, 1 < i < TO, we have exactly: 2"(2” — 1)(2” — 2) . . . (2” — to+ 1) solutions. 

Now when y, 1 < i < to, are fixed, / 2 , /s and fi are fixed on exactly m 
pairwise distinct points. So H = ^^y^2”(2” — 1)(2” — 2) . . . (2” — to+1). 

Let H* be the average value of H (when the [Si,Ti] are pairwise distinct). 

rr* ^ 

22"(22" - 1)(2" - 2) . . . (22" -TO+1) “ 22""» ■ 



So here: 



^ ^ /I TO — 

1 2 " 2 " ^ 2 " 



In (|r I = - 



1 + 2 + . . . + (to — 1) to(to — 1) 



So when to(to— 1) is not negligible compared with 2", H will be significatively 
smaller than H*, as claimed. 



Remark 1. Here Ri © Si is not random (since Ri © yis constant), and Li © y 
is not random (in example 3 below we will remove this condition on Lj © y). 
These hypothesis are generally unrealistic in a cryptographic attack, where Vi, 
1 < z < TO, Lj or y, and Ri or Si, cannot be chosen. 
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Remark 2. If we start, as here, from [Li,Ri] values with Ri constant, then the 
Xi values are pairwise distinct, so the Yi values are perfectly random (if we 
define Yi only from the relation = i?, 0 f 2 {Xi)). However, the Zi values are 
not perfectly random (since the probability to have Zi 0 Zj = Li (B Lj is the 
probability to have fsiYi) = fsiYj) so is about double than average). Similarly, 
the [5^, Ti] values are not perfectly random since the probability to have Si = Sj 
and Ti(BTj = Li(BLj is in relation with the probability to have fsiYi) = fsiYj), 
so is about double than average. We will use again this idea in example 3 below. 

Remark 3. Here when m ^ 2”/^, we can have circles in Y , S, (and circles in 
R, Y) and this is a way to explain why in this example H can be much smaller 
than H* . 

Example 3: Small value for H , with random Li and Ti 
In this example 3, we will assume: 

1. Vi,j, 1 < i < j < m, Ri = Rj (= i?i). 

2. ViJ, 1 < i < j < m, Si = Sj (= Si). 

3. Let Ai = Li (B Ti. Then Ai, 1 < i < m, is random. More precisely it will 

be enough to assume that the number N of collisions Ai = Aj, i < j, is 

< to show that H is small compared with the average value H* . For 

random values Ai we have N ~ ^^)- 

As in example 2, H is [AkP times the number of / 2 , /s, /4 such that: Vi, 
1 < z < m. 



( Yi — Ri (B f2{Li ® — S'! 0 f4{Ti 0 /5(5'i)) 

\ fsi^i) = Li (B Ti (B /i(i?i) 0 /5(S'i) 

Since all the Li 0 fi{Ri) are pairwise distinct, and all the Tj 0 / 5 (S'i) are 
pairwise distinct, /2 and are fixed on exactly m points when Yi, 1 < i < m, 
is fixed. 

So H is times the number of Yi, /s such that: Vz, 1 < z < m, fsiYi) = 

Li 0 Ti 0 /i(i?i) 0 /^{Si). 

Let Ai be a sequence of values of 1 < z < m. We want to evaluate the 
number h of Yi, /s such that: Vz, 1 < z < m, fsiYi) = Ai. Let h* be the average 
value for h (average on all sequences Ai). We have h* = \Fn\. For random values 
Yi, and random functions /s, Ai will have about 2 times more collisions Ai = Aj, 
i < j, than average sequences Ai. 

So h for random values Ai is <C h*, and h for values Ai with 2 times more 
collisions than average is ^ h*. This shows that if in this example 3 Li (BTi is 
random, then H H* . 
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Abstract. The most common method for computing exponentiation of 
random elements in Abelian groups are sliding window schemes, which 
enhance the efficiency of the binary method at the expense of some 
precomputation. In groups where inversion is easy (e.g. elliptic curves), 
signed representations of the exponent are meaningful because they de- 
crease the amount of required precomputation. The asymptotic best 
signed method is loNAF, because it minimizes the precomputation effort 
whilst the non-zero density is nearly optimal. Unfortunately, loNAF can 
be computed only from the least significant bit, i.e. right-to-left. How- 
ever, in connection with memory constraint devices left-to-right recoding 
schemes are by far more valuable. 

In this paper we define the MOF {Mutual Opposite Form), a new canon- 
ical representation of signed binary strings, which can be computed in 
any order. Therefore we obtain the first left-to-right signed exponent- 
recoding scheme for general width w by applying the width w sliding 
window conversion on MOF left-to-right. Moreover, the analogue right- 
to-left conversion on MOF yields wNAF, which indicates that the new 
class is the natural left-to-right analogue to the useful wNAF. Indeed, 
the new class inherits the outstanding properties of loNAF, namely the 
required precomputation and the achieved non-zero density are exactly 
the same. 

Keywords: addition-subtraction chains, exponentiation, scalar multipli- 
cation, signed binary, elliptic curve cryptosystem, efficient computation, 
non-adjacent form (NAF), mutual opposite form (MOF), left-to-right 



1 Introduction 

In modern cryptosystems one of the most important basic operations is expo- 
nentiation where g is an element of an Abelian group G and d is an integer. 
A non-zero positive integer d is uniquely represented by a binary string: 

d= d„-i|c?ri_2|---|di|do) 

where a\b denotes the concatenation of bits a, b, and di G {0, 1} for f = 0, 1, ..., 
n — 1. 

Franklin (Ed.): CRYPTO 2004, LNCS 3152, pp. 123-139, 2004. 

International Association for Cryptologic Research 2004 
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The most common method for performing an exponentiation is the square- 
and-multiply algorithm, which computes according to the bits di (therefore it 
is often called binary method) . The efficiency of this procedure may be enhanced 
if precomputation is allowed. In this case, we consider more general represen- 
tations of the exponent, where each non-zero bit di is not restricted to be 1, 
but is an element of a suitable digit set T of integers. We call d = ^ a 
T-representation, if di G T U {0} holds for each i. In general, T-representations 
loose the property of uniqueness. The left-to-right square-and- multiply algorithm 
is easily adjusted to work with a T-representation of the exponent, namely multi- 
plication by the base g is replaced with multiplication by precomputed elements 
g‘^^ , where di G T is the appropriate digit of d. Therefore, the important fea- 
tures of a T -representation are the number of non-zero digits and the cardinality 
of T, because they determine the required time and memory consumption for 
computing g'^ , respectively. The research problem here is to find optimized rep- 
resentation classes in the sense of trade-off between high non-zero density and 
low memory consumption. 

1.1 New Motivation for Exponentiation Algorithms 

As the ubiquitous computing devices are penetrating our daily life, the impor- 
tance of memory constraint devices (e.g. smart cards) in cryptography is increas- 
ing. Smart cards are equipped with several Kbytes RAM only and most of them 
are reserved for OS and stack. Thus, cryptographic algorithms should be opti- 
mized in terms of memory. For this reason we are reluctant to consume memory 
except the necessary precomputation related to T for computing exponentia- 
tion. Note that in connection with memory constraint devices, the most popular 
cryptosystems are based on elliptic curves [Kob87,Mil86] , because elliptic curve 
cryptosystems (ECC) provide high security with moderate key-lengths. As ellip- 
tic curve groups are written additively, exponentiation has to be understood as 
scalar multiplication in this context. 

Exponent recoding, i.e. the rewriting of the binary exponent to a T-represen- 
tation, may be performed from the least significant bit (we say “right-to-left” ) 
and from the most significant bit (“left-to-right”), respectively. For the pur- 
pose of ECC on memory constraint devices we prefer left-to-right to right-to-left 
recoding methods. The reason is as follows: In the case of elliptic curve scalar 
multiplication, the left-to-right evaluation stage is the natural choice (see Section 
5 for details). If the exponent recoding is done right-to-left, it is necessary to fin- 
ish the recoding and to store the recoded string before starting the left-to-right 
evaluation stage. In other words, we require additional n-bit (i.e. exponential 
size 0{n)) RAM for the right-to-left exponent recoding, where n is the bit size 
of the scalar. 

On the contrary, if a left-to-right recoding technique is available, the recoding 
and evaluation stage may be merged to obtain an efficient exponentiation on the 
fly, without storing the recoded exponent at all. Therefore it is an important 
task to construct a left-to-right recoding scheme, even if the size of T and the 
non-zero density are not improved. 
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1.2 Known Solutions 

The most established techniques for generating T representations are window 
methods (see, e.g., the textbooks [Knu81,MOV96] and the survey paper [Gor98]). 
Loosely speaking, in the window method with width w successively w consecutive 
bits of the binary exponent are scanned and, if necessary, replaced by a table- 
entry according to T. We distinguish fixed window methods like the 2“-ary 
method, where the window segmentation of the binary string is predetermined 
and the more advanced sliding window methods, where zero runs are skipped. 
As an example, let us consider the sliding window method with width w = 3. In 
this case, T equals {1,3, 5, 7}. During the recoding stage, the binary exponent 
is rewritten by performing the following replacements: 1|1 i— > 0|3, 1|0|1 i— > 0|0|5, 
and 1|1|1 I— *■ 0|0|7. Note that the sliding window conversion can be performed 
left-to-right and right-to-left as well. The results may differ syntactically, but 
the asymptotic non-zero density of both representations is the same, namely 
l/{w + 1). In the unsigned case (i.e. T consists only of positive integers), sliding 
window techniques are the method of choice. 

However, a nice property of elliptic curves is that inversion is computed vir- 
tually for free. In this case, it is meaningful to consider digit sets containing 
negative integers, too. This reduces precomputation effort, because may be 
computed from g* on the fly, such that only the elements for i € T have 
to be precomputed. However, the question arises how to construct a signed T 
representation. In general, there are two strategies. The first one is to construct a 
{ — 1,-|-1} representation of d (also called a signed binary representation) and to 
apply window methods afterwards. Here, the most common signed binary rep- 
resentation is NAF (non-adjacent-form) [Rei60,IEEE], which can be obtained 
from the binary representation by applying the conversion *|1|1 *-|-l|0|l 

repeatedly, where 1 denotes —1 and * stands for any binary digit. However, the 
carry-over -|-1 occurring in the first digit forces the recoding to be performed 
from the least significant bit, i.e. right-to-left. The second strategy is to gen- 
eralize the NAF recoding for w > 2 in order to obtain wNAF [Sol00,BSS99] 
(here, the non-adjacent property states that among any w adjacent bits, at 
most one is non-zero). According to [BSS99], this strategy is the optimal one 
for w > 3. But unfortunately, this strategy suffers from the same drawback as 
the first one, namely as carry-overs are required, the recoding is restricted to be 
done right-to-left. Consequently, all exponentiation strategies based on signed 
T-representations require 0{n) bits of RAM additional memory to store the 
recoded exponent. Solely in the case of w = 2, Joye and Yen proposed a left- 
to-right binary recoding algorithm [JYOO]. But it has been an unsolved problem 
to generate a left-to-right recoding algorithm for a general width w > 2. Note 
that the asymptotic non-zero density of wNAF is the same as for the unsigned 
sliding window method on binary, namely l/(w -I- 1). Therefore, wNAF can be 
seen as its natural signed analogue, and we guess that there could be a carry- 
free generation method for wNAF. In this paper, the term carry-free refers to 
an algorithm that transforms the input string in situ, i.e. in each step only the 
knowledge of a fixed number of consecutive input bits is necessary. 
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1.3 Our Contributions 

The aim of this paper is to solve both problems as follows: (1) we define a new 
canonical representation class of signed binary. We call it MOF (Mutual Opposite 
Form) and prove that each integer can be uniquely represented as a MOF. But 
the outstanding property of MOF is that it can be efficiently developed from a 
binary string right-to-left or left-to-right, likewise. Consequently, analogue to the 
unsigned case, sliding window methods may be applied to receive left-to-right 
and right-to-left recoding schemes for general width w. Surprisingly, applying the 
right-to-left width w sliding window method on MOF yields wNAF. However, 
the observation that in the unsigned case right-to-left sliding window yields 
an unsigned string with non-adjacent property stresses the analogy between 
unsigned Binary and signed MOF. Therefore we achieve a carry- free wNAF 
generation, a benefit of its own. 

(2) Our major aim is to develop a left-to-right recoding algorithm, and this 
is achieved straightforwardly by applying the width w sliding window method 
left-to-right on MOF. We call the so-defined class wMOF and prove that each 
integer can be uniquely represented as a wMOF and that the asymptotic non- 
zero density of wMOF equals l/(w-|-l), which is the same as for wNAF. Therefore 
the classes wNAF and wMOF may be seen as dual to each other. In general our 
proposed algorithm asymptotically requires additional 0{w) bits of RAM, which 
is independent from the bit size n and dramatically reduces the required space 
comparing with previous methods. Consequently, due to its left-to-right nature, 
the new scheme is by far more convenient with respect to memory consumption 
than previous schemes. Interestingly, a straight-forward proof shows that for 
w = 2 the proposed method produces the same output as the Joye-Yen recoding, 
but 2MOF is more efficient in terms of counting the number of basic operations. 

We finish this work with some explicit algorithms, proving that the proposed 
schemes are indeed useful for practical purposes. For example, we develop gen- 
erating algorithms for wMOF based on efficient table-lookups, and we show how 
to exploit wMOF for implementing on-the-fly elliptic curve scalar multiplication. 



2 Signed Representations 

In this section we review some signed representations, which are important in 
connection with elliptic curve scalar multiplication. For the sake of simplicity, 
we only deal with non-negative integers d in the following. We call d = di2* 
a T-representation, if T is a set of integers and di G T U {0} holds for each 
i. If T contains negative integers, we speak of signed representations, and if T 
equals {±1}, of signed binary representations. In general, signed binary repre- 
sentations are redundant. The most established one is NAF (non-adjacent form), 
introduced by Reitwiesner 1960 [Rei60]. A generalization of Reitwiesner’s NAF 
recoding idea can be found in [Pro00,Avi61]. NAF can be easily defined by the 
property that at most one out of two consecutive digits is non-zero. Reitwiesner 
was able to show that ignoring leading zeros each integer has a unique NAF 
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representation. For this reason, some authors call NAF a canonical signed bi- 
nary representation [EK94]. In addition, as shown among others by Jedwab and 
Mitchell [JM89], NAF representation provides the minimal Hamming weight. 
Consequently, the NAF representation of the exponent is the optimal choice if 
signed methods are meaningful and no precomputation is considered. It was first 
pointed out by Morain and Olivos that NAF can be used to speed up elliptic 
curve scalar multiplication [MO90]. 

However, the situation is less clear if extra memory is available and precom- 
putation is admitted. In this case, signed representations using larger digit sets 
T should be taken into account. One strategy to construct a signed representa- 
tion is to apply sliding window methods on signed binary representations. But as 
signed binary representation is redundant, the question arises which representa- 
tion is the best for this purpose. Indeed, this is assumed to be an open problem 
by De Win et al. [WMPW98]. There are several methods to construct signed 
binary representations as a base for sliding window schemes [KT92,WMPW98], 
but none of these can be performed left-to-right . In this paper, we will develop a 
left-to-right recoding scheme, which is of high value in connection with memory 
constraint devices. 

A different approach is wNAF. Instead of applying window techniques to 
signed binary representations, wNAF is computed directly from binary strings 
using a generalization of NAF recoding. First we review the definition of wNAF 
as stated in [SolOO]. 

Definition 1 (wNAF). A sequence of signed digits is called wNAF iff the fol- 
lowing three properties hold: 

1. The most significant non-zero hit is positive. 

2. Among any w consecutive digits, at most one is non-zero. 

3. Each non-zero digit is odd and less than 2’"“^ in absolute value. 

Note that 2NAF and NAF are the same. Algorithm 1 describes the generation 
of wNAF as proposed by Solinas [SolOO] . 



Algorithm 1 Generation of wNAF [SolOO] 
Input: width w, an n-bit integer d 
Output: wNAF . . . |(5o of d 

i <-H 0 

while d > 1 do 
if d is even then 
(5i ^ 0 
else 

Si ^ d mods 2™ ; d ^ d — Si 
d <-H d/2; i <-H i -I- 1 
return (d„, d„_i, ..., do)- 
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Here “mods” means the signed modulo, namely a mods b is defined as a mod b 
and —6/2 < a < 6/2. The algorithm generates wNAF from the least signif- 
icant bit, that is right-to-left generation again. The average density of non- 
zero bits is asymptotically l/(w -I- 1) for n ^ oo, and the digit set equals 
T = {±1, ±3, . . . , ±(2™“^ — 1)} which seems to be minimal. Thus wNAF and 
its variants like modified window NAF [M6102] are optimal in the sense of the 
trade-off between speed and memory for w > 3 [BSS99,BHLM01]. There are 
several other algorithms for generating wNAF, for example see [BSS99,MOC97] 
but each method needs carry-overs. Note that in the worst case all remaining 
bits are affected by the carry, therefore the previously known wNAF algorithms 
can not be considered as local methods. By inspecting Algorithm 1 closely, we 
observe that this generation can be seen as the natural signed analogue to the 
right-to-left sliding window method on (unsigned) Binary (here, mod instead of 
mods is computed). Indeed, the latter method produces a representation that 
fulfills the nonadjacent requirement (see Definition 1, property 3). Consequently, 
we conjecture that there might be a signed binary representation that produces 
wNAF when handled with sliding window conversions. The signed binary rep- 
resentation introduced in the next section will also serve for this purpose. 

3 MOF: New Canonical Representation 
for Signed Binary Strings 

In this section we present a new signed representation of integers. The proofs of 
the propositions in this section are in the full version of this paper [OSST04]. 
In order to achieve a unique representation, we introduce the following special 
class of signed binary strings, called the mutual opposite form (MOF). 

Definition 2 (MOF) .The n-bit mutual opposite form (MOF) is an n-hit signed 
binary string that satisfies the following properties: 

1. The signs of adjacent non-zero bits (without considering zero bits) are oppo- 
site. 

2. The most non-zero hit and the least non-zero bit are 1 and 1 , respectively, 
unless all bits are zero. 

Some zero bits are inserted between non-zero bits that have a mutual opposite 
sign. An example of MOF is OlOOlOlOOOlOOlIO. An important observation is that 
each positive integer can be uniquely represented by MOF. Indeed, we have the 
following theorem. 

Theorem 1. Let n he a positive integer, {n -\- \)-bit MOF has 2” pair-wise 
different representations. There is the bijective map between elements of{n-\-l)- 
bit MOF and n-hit binary strings. 

From this theorem, any n-bit binary string can be uniquely represented by 
(n -I- l)-bit MOF. We obviously have the following corollary about the non-zero 
density of MOF. 

Corollary 1. The average non-zero density of n-bit MOF is 1/2 for n ^ oo. 
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3.1 Converting Binary String to MOF 

We show a simple and flexible conversion from n-bit binary string to (n+ l)-bit 
MOF. 

The crucial point is the following observation. The n-bit binary string d can 
be converted to a signed binary string by computing fj, = 2d Q d, where ‘0’ 
stands for a bitwise subtraction. Indeed, we convert d as follows: 

2d = dn-i I d„-2 I ... I di-i I ... I di I do I 

Q d = I d„-i I ... I dj I ... I d2 I di I dp 

fj, = dn-i I d„_2 — d„-i I ... I di-i — di I ... I di — d 2 I do — di | —dp. 

Here the z-th signed bit of /x is denoted by /ii, namely /ii = di_i — di for z = 

1, ..., n— 1 and = d„_i, = —do- We can prove that the signed representation 

^ is MOF. 

Proposition 1. The operation p, = 2dQd converts binary string d to its MOF p,. 
Algorithm 2 provides an explicit conversion from Binary to MOF. 



Algorithm 2 Left-to-Right Generation from Binary to MOF 
Input: a non- zero n-bit binary string d = d„_i|d„_ 2 | . . . |di|dp 
Output: MOF p„\ ■ ■ ■ \pi\po of d 

Pn ■‘—I d„_i 

for z = n — 1 down to 1 do 
pi i I di — 1 di 
po ^ —do, 

return {p„, p„-i, ■■■, pi, po)- 



In order to generate the z-th bit pi, Algorithm 2 stores just two consecutive 
bits di-i and di. This algorithm converts a binary string to MOF from the most 
significant bit in an efficient way. Note that it is also possible to convert a binary 
string to MOF right-to-left. Thus MOF representation is highly flexible. 

Remark 1. Interestingly, the MOF representation of an integer d equals the re- 
coding performed by the classical Booth algorithm for binary multiplication 
[Boo51]. The classical Booth algorithm successively scans two consecutive bits 
of the multiplier A (right-to-left) . Depending on these bits, one of the following 
operations is performed: 

No operation, if (m, Ui-i) e {(0, 0), (1, 1)}, 

Subtract multiplicand B from the partial product, if (ai,ai_i) = (1,0), 

Add multiplicand B to the partial product, if (oi, Ui-i) = (0, 1), 

where a_i is defined as 0. Of course, the design goal of this algorithm was to 
speed up multiplication when there are consecutive ones in the multiplier A, and 
to provide a multiplication method that works for signed and unsigned numbers 
as well. To our knowledge, this representation never served as a fundament of 
theoretical treatment of signed binary strings. 
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4 Window Methods on MOF 

In this section we show how to decrease the non-zero density of MOF by ap- 
plying window methods on it. First we consider the right-to-left width w sliding 
window method which surprisingly yields the familiar wNAF. In contrast to pre- 
viously known generation methods, the new one is carry-free, i.e. in each step 
the knowledge of at most w -I- 1 consecutive input bits is sufficient. 

Then we define the dual new class wMOF as the result of the analogue left- 
to-right width w sliding window method on MOF. This conversion leads to the 
first left-to-right signed recoding scheme for general width w. 

4.1 Right-to-Left Case: tuNAF 

In order to describe the proposed scheme, we need the conversion table for width 
w. First, we define the conversions for MOF windows of length I, such that the 
first and the last bit is non-zero: 

ri|i|o|...|o|o|i ri|i|o|...|o|i|o|T 

0 |...| 0 | 2'-2 + 1 ^ \ 1 | 1 | 0 | . . . | 0 | 1|1 0 |...| 0 | 2*-2 + 3 ^ \ l | i | 0 | . . . | 0 | 1 | 1|1 . . . 

I \ I I \ I 



0|...|0|2*"^ - 3- 



l|0i...|0|l|l|l 

1 | 0 |...| 0 | 1 | 0|1 



0 |...| 0 | 2 '“^ - 1 



1 | 0 |...| 0 | 0|1 

I 



In addition, we have analogue conversions with all signs changed. To generate 
the complete table for width w, we have to consider all conversions of length 
I = 2,3, . . . ,w. If I < w holds, the window is filled with leading zeros. 

Example: In the case of w = 3, we use the following table for the right-to-left 
sliding window method: 



TableaJlF : 001 ^ 



001 

Oil 



001 ^ 



001 

Oil 



003 ^ 



101 

111 



003 ^ 



101 

111 



In an analogue way Table^^^ is defined for general w. Based on this table. 
Algorithm 3 provides a simple carry-free wNAF generation. 



Algorithm 3 Right-to-Left Generation from Binary to wNAF 
Input: width w, a non-zero n-bit binary string d = d„-i|d„_ 2 | . . . |di|do 
Output: wNAF ... It'D of d 

dn+w—2 ^ — I 0; dn+w—3 ^ ^ 0; . . . ; dn < — I 0; d_i ^ 0; i < — ^ 0 
while i < n do 
if di-i = di then 
Vi -f—i 0; i ^ i + 1 

else {The MOF window begins with a non-zero digit righthand} 

1 , . . . , Vi'j < I Table^g^ i , di-i-w—s di-i-w—2 , • • • , di~x d { ) 

i ^ i + w 

return (iz„, ...,vi,vq) 
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Obviously, the output of Algorithm 3 meets the notations of Definition 1, 
therefore it is wNAF. If we knew that Definition 1 provides a unique represen- 
tation, we could deduce that Algorithm 3 outputs the same as Algorithm 1. 
This is true, although we could not find a proof in literature. For the sake of 
completeness, we prove the following theorem in the full version of this paper 
[OSST04] via exploiting the uniqueness of MOF representation. 

Theorem 2. Every non-negative integer d has a representation as wNAF, which 
is unique except for the number of leading zeros. 

4.2 Left-to-Right Case: tuMOF 

In this section we introduce our new proposed scheme. The crucial observation 
is that as the generation Binary i— > MOF can be performed left-to-right, the 
combination of this generation and left-to-right sliding window method leads to 
a complete signed left-to-right recoding scheme dual to wNAF. 

In order to describe the proposed scheme, we need the conversion table for 
width w. The conversions for MOF windows of length I, such that the first and 
the last bit is non-zero, are defined in exactly the same way as in the right-to- 
left case (see the table in section (4.1) and reflect the assignments). To generate 
the complete table for width w, we have to consider all conversions of length 
I = 2,3, ... ,w as before. The only difference is that if ^ < w holds, the window 
is filled with closing zeros instead of leading ones. As an example, we construct 



the conversion 


table Table 4 ^^ 


for width 4: 








1000} 1000 


iTOOji-^OlOO 




™}„0005 


1001 ) 
lOTl J 


>1-^0007 


TOOOji-^TOOO 


TlOOji-^OTOO 




™}„0005 


Tool 1 
ToiTj 


1^1^0007 



The table is complete due to the properties of MOF. Note that because of the 
equalities *11 = *01, *11 = *01 usually two different MOF-strings are converted 
to the same pattern. In an analogue way, Table,^,^ is defined for general width 
w. In this case the digit set equals T = {±1, ±3, . . . , ±2™“^ — 1}, which is 
the same as for wNAF. Therefore, the scheme requires only 2™“^ precomputed 
elements. Algorithm 4 makes use of this table to generate wMOF left-to-right. 

In order to deepen the duality between wNAF and wMOF, we give a formal 
definition of wMOF and prove that it leads to a unique representation of non- 
negative integers. 

Definition 3. A sequence of signed digits is called wMOF iff the following three 
properties hold: 

1. The most significant non-zero hit is positive. 

2. All but the least significant non-zero digit x are adjoint by w-1 zeros as 
follows: 

— in case of 2^~^ < |a;| < 2^ for an integer 2 < k < w — 1 the pattern 
equals O^^^^x 

k w—k—1 
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~ in case of \x\ = 1 either the pattern equals a: 0 and the next lower 

W — 1 

non-zero digit has opposite sign from x or the pattern equals 

w — 2 

and the next lower non-zero digit has the same sign as x. 

If X is the least significant non-zero digit, it is possible that the number of 
right-hand adjacent zeros is smaller than stated above. In addition it is not 
possible that the last non-zero digit is a 1 following any non-zero digit. 

3. Each non-zero digit is odd and less than 2™“^ in absolute value. 

This definition is directly related to the generation of wMOF. Note that the 
exceptional case corresponding to the least significant bit takes in account that 
the last window may be shorter than w. 



Algorithm 4 Left-to-Right Generation from Binary to wMOF 
Input: width w, a non-zero n-bit binary string d = d„-i|d„_ 2 |...|di|do 
Output: wMOF S = i5„|J„_i|...|(5i|5o of d 
d-i ^0; d„ ^ 0; i ^ n 
while i > w — 1 do 
if di = di_i then 
<-H 0; i ^ i — 1 

else {The MOF window begins with a non-zero digit lefthand} 

(dj , Si—x . . . , ^ I Table^5^ i di , di—2 di~x , ... , di—w di—.u ,.\.\ ) 

i ^ i — w 

if i > 0 then 

(di, Si—x . . . , do) ^ I Tablei_|_]^_g'^ (dj— i dx , di—2 di—x , ... , do di , do ) 
return (d„, d„_i, di, do). 



Regarding the uniqueness and the non-zero density of wMOF, we have the 
following two theorems, proven in the full version of this paper [OSST04] . 

Theorem 3. Every non-negative integer d has a representation as wMOF, which 
is unique except for the number of leading zeros. 

Theorem 4. The average non-zero density of w MOF is asymptotically l/(tc-|-l) 
for n oo . 

We finish this section with a detailed example of the conversion from Binary 
to MOF and the effects of several sliding window methods. 



Bin 


11101001100100010101110101010111 


MOF 


lOOTlToioToiToolTlTlOOTlTlTlTlOOT 


2MOF 

3MOF 

4MOF 


lOOOTTOlOTOOlOOOlOllOOOToToToTOOT 

1000030003001000030T000030030T00T 

00070005000070000050007000500300T 


NAF 

3NAF 

4NAF 


lOOTOlOlOTOOlOOlOToTOOOToToToTOOT 

10000300030010001003000T00300300T 

000700050003000700050000300050007 
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4.3 Left-to-Right Generation of (ti;)NAF 

Although in the preceding section we have presented left-to-right generated 
signed representations that are at least as useful as (w)NAFs, from a theoretical 
point of view it is still an interesting question how to generate the (w)NAF from 
the most significant bit. The reason for the difficulty is a carry caused by the 
statement d ^ d — 6i of Algorithm 1 . To illustrate the problem, note that the bi- 
nary strings 101010 and 101011 that only differ in the last digit are converted to 
the NAFs 101010 and 1010101, respectively, which differ completely. Intuitively, 
it is not possible to generate NAF left-to-right without scanning any higher bits. 
In this section we exploit the MOF representation to discuss how many bits have 
to be scanned and how many additional storage is required. 

Note that we obtain NAF if we apply the conversions 11 i— > 01 and 11 i-^ 01 
right-to-left on MOF. However, performing the same conversions left-to-right 
may yield a different result. The critical sequence is of the shape 

OlL^O, or 0ll_^0. 
odd odd 

Note that this sequence corresponds to the binary string 1010 .. .011. If the 
length of the sequence of alternating bits is even, then both of left-to-right and 
right-to-left conversions uniquely generate the same string, namely bb...bb i— > 
Ob. ..Ob for b G {±1}. But if the length is odd, left-to-right we obtain 66 . . . 66 i— > 
06 . . . 066, whereas right-to-left generates 66 ... 66 60606 ... 06. Consequently, 

if this sequence appears, we have to scan it completely in order to compute the 
corresponding NAF. However, the first bit and the length of the critical sequence 
can uniquely determine the corresponding NAF, hence it is not necessary to store 
the sequence. Thus, the additional required storage in RAM is at most a few bits, 
namely the bit length of the critical sequence. Therefore, we obtain Algorithm 5. 



Algorithm 5 Left-to-Right Generation Binary to NAF 
Input: a non- zero n bit binary string d — d„_i|d„_ 2 | . . . |di|do 
Output: NAF Vn\v>n-i\ . . . |i^i|i'o of d 
i <-H n; d„ ^ 0; d_i ^ 0; d _2 ' 0 

while i > — 1 do 
b < — I di—\ — di 
if b = 0 then 

r'i ^ 0; i <-H i — 1 
else {6 7^ 0} 

find the largest j s.t. di-j-i = di-j 
if j is odd then 

i^i < — I 6; r'i—i — I 0; 2 ' — 6; . . . ; 7+2 ' 0; < — 1 — 6; Ui—j < — 1 0 

else {j is even} 

Ui < — I 0; Ui—i < — ^ 6; . . . ; ^ ' 0; < — 1 6; Ui—j < — 1 0 

i — 1 

return {un,Vn-i, ....,i'i,i'o) 
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It is also possible to construct a left-to-right generation algorithm of wNAF, 
w > 2. In this case, the critical sequence is of the following shape 

( 1 ) 

W — 1 W — 1 

where the most and least (w—1) bits are zero and no zero run of length w—1 
appears in aiQi-i ...aiao. If it is possible to convert the critical sequence (1) 
left-to-right to wNAF, then we can generate wNAF from any MOF. In order 
to find the corresponding wNAF of (1), we scan the whole sequence right-to- 
left and obtain the segmentations that are produced by the right-to-left sliding 
window conversion MOF i-^- wNAF. Note that there is no need to store the width 
w windows, but we must detect and store the length of the zero runs between 
any two windows. In addition, the content of the left-most window, which may 
be smaller than w, has to be transfered. Afterwards, the sequence (1) can be 
rewritten as follows: 



0^_^\r\bi\U\ . . ,\b2\t2\bi\ti\0^^, (2) 

W—1 W—1 

where r consists of at most w—1 consecutive bits of MOF (and may be the 
empty word e), bj G {e, 0, 00, . . ■ Etnd each tj is a length w pattern of 

w — 2 

MOF, corresponding to an entry of Table,^^. Here we have to store r and the bj . 
Based on these informations, the corresponding wNAF is completely determined 
left-to-right. Thus we need to store at most (w — 1 -I- log 2 (w — 2))^) bits. 



4.4 Comparison with Previous Methods 

In this section we clarify the difference to previous schemes for generating signed 
representations. 

In 1992, Koyama and Tsuruoka developed a new recoding technique to con- 
vert a binary string to a signed binary string [KT92]. Following this step, a 
left-to-right sliding window method is applied. The new signed binary represen- 
tation has the benefit that it reduces the asymptotic non-zero density, but it 
requires the sub-optimal digit set T = {±1, ±3, . . . , ±(2^" — 3)}. If the sliding 
window method is directly applied to NAF, due to the NAF property fewer pos- 
sible window contents have to be taken into account, resulting in a smaller digit 
set T. An easy calculation shows that the largest odd NAF consisting of at most 
w digits equals i(2™+^ — 1) for odd w (cf. 1010 . . .01) and i(2’"+^ -I- 1) — 2 for 
even w (cf. 1010 . . . 1001). For this reason, De Win et al. prefer the latter method 
for elliptic curve scalar multiplication [WMPW98]. Although there are slightly 
more point operations needed to evaluate the scalar multiplication if the expo- 
nent is represented as wNAF compared to the [WMPW98] representation, the 
required precomputation is less in the wNAF case because of the smaller digit 
set. Indeed, Blake et al. proved that wNAF is asymptotically better than sliding 
window on NAF schemes if w > 3 [BSS99]. In the context of memory constraint 
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devices, a small digit set T is even more valuable, because fewer precomputed el- 
ements have to be stored. But as none of the preceding methods is a left-to-right 
scheme, each one requires additional memory 0{n) to store the recoded string 
before starting the left-to-right evaluation of the scalar product. Note that in 
the context of sliding window on signed binary schemes like [KT92,WMPW98] 
the sliding window conversion may be performed left-to-right, but to obtain the 
signed binary representation we have to proceed right-to-left in either case. 

In contrast, wMOF turns out as a complete left-to-right scheme. Conse- 
quently, there is no additional memory required for performing the scalar mul- 
tiplication. In addition, due to the properties of MOF, the digit set of wMOF is 
the same as for wNAF and therefore minimal. 

In order to compare the proposed algorithms with previous ones, we summa- 
rize the memory requirements of the new left-to-right schemes in the following 
theorem. 

Theorem 5. Algorithm 4 requires only 0{w) bits memory for generating wMOF. 
Algorithm 5 requires at most (log 2 n) bits memory for generating NAF left-to- 
right. For general width w, there is a left-to-right algorithm that generates wNAF 
with at most (w — 1 -I- log 2 (w — 2))^) bit memory. 

Next, we compare the characterizing properties for the proposed schemes and 
some previous ones. In the second column, the value ffF /2 equals the number 
of elements, that have to be precomputed and stored. In the last column, we 
describe the amount of memory (in bits) that is required additionally to this 
storage, e.g. to construct the signed representation or to store the converted 
string in right-to-left schemes. As usual, n equals the bit-length of the scalar, 
and SW is an abbreviation for sliding window. 

Table 1. Comparison of Memory Requirement and Non-zero Density 



Scheme 


#T/2 


l/N.-z. Density 


Additional Memory 


icNAF [SolOO,BSS99,MOC97] 


2»-2 


w -1- 1 


0{n) 


[KT92] 


2»-i _ ^ 


w + 1 


0{n) 


NAF+SW as [WMPW98] 


i(2» + (-l)»+i) 


^ 3 3 - 2^-2 


0(n) 


tcMOF, Sec. 4.2 


2»-2 


w -\-l 


0(w) 


1-t-r wNAF, Sec. 4.3 


2»-2 


re -1- 1 


Cl(logn), w = 2 
0{h^n), w>2 



5 Applications to Elliptic Curve Scalar Multiplication 

Let K = GF{p) be a finite field, where p > 3 is a prime. Let E be an elliptic 
curve over K . The elliptic curve E has an Abelian group structure with identity 
element O called the point of infinity. A point P G E is represented as P = (x, y). 
The inverse of point P = {x,y) is equal to —P = {x,—y), hence it can be 
computed virtually for free. The elliptic curve additions P\ -\- P 2 and 2P are 
denoted by ECADD and ECDBL, respectively, where Pi, P2, P G E. 
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As elliptic curves are written additively, exponentiation has to be under- 
stood as scalar multiplication. The familiar binary algorithms are adopted by 
computing ECADD instead of multiplying and ECDBL instead of squaring. 

In general, we distinguish two main concepts of performing scalar multiplica- 
tion: left-to-right and right-to-left. Here, d is represented as d= ^ 

{ 0 , 1 }, dn-l = 1 . 



Algorithm Binary Method, 1-t-r 
Input: P\ d = d„_i| . . . |di|do 
Output: scalar multiplication dP 

Q^P 

for i = n — 2 down to 0 
Q ^ ECDBL(Q) 
if di = 1 

Q ^ ECADD(g,P) 

return Q. 



Algorithm Binary Method, r-t-1 
Input: P-, d = dn-i \ . . . |di|do 
Output: scalar multiplication dP 

Qi ^ — I P', Q2 ^ — I O 

for i = 0 to n — 1 
if di = 1 

Q2 ^ ECADD(Q2, Qi) 

Qi ^ ECDBL(Qi) 

return Q 2 . 



Though in general both methods provide the same efficiency, the left-to-right 
method is preferable due to the following reasons: 



1. The left-to-right method can be adjusted for general T-representations of d 
like wNAF or wMOF in a more efficient way than the right-to-left method. 

2. The ECADD step in the left-to-right method has the fixed input tP, t € T. 
Therefore it is possible to speed up these steps if tP is expressed in affine 
coordinates for each t G T, since some operations are negligible in this case. 
The improvement for a 160-bit scalar multiplication is about 15% with NAF 
over right-to-left scheme in the Jacobian coordinates [CM098]. 

3. The right-to-left method needs an auxiliary register for storing 2*P. 



5.1 Explicit Implementation for w — 2 

In the following we show how the ideas of Section 4.2 lead to an efficient left-to- 
right scalar multiplication algorithm. For the sake of simplicity, we begin with 
the special case w = 2. The treatment for general width w can be found in the 
full version of this paper [OSST04] . 

Let d be a binary string. The MOF and 2MOF representation of d are 
denoted by fj, and S, respectively. The proposed scheme scans the two bits 
of fx from the most significant bit, and if the sequences 11 or 11 appear, we 
perform the following conversions: ll i-^- 01 and II i-^- Ol. Two consecutive 
bits of d determine the corresponding bit of MOF /x. Thus, three consecutive 
bits of d can generate the corresponding bit of the 2MOF S. In order to find 
an efficient implementation, we discuss the relationship of bit representation 
among /x, 6, and d. The x-th bits of fj,,S,d are denoted by jjLi,6i,di, respec- 
tively. Because of the relation /xx = dx_i — di, we know /xx = 0 if and only 
if dx-i = di- The other 3-bit binary strings (dx, dx_i, dx-2) where dx_i yf di 
are only (dx, dx_i, dx_2) = (0, 1, 1), (1, 0, 0), (0, 1, 0), (1, 0, 1), corresponding to 
(dx,dx-i) = (1, 0), (— 1, 0), (0, 1), (0, — 1). Thus, there is a one-to-one map be- 
tween (dx,dx-i) and (dx, dx_i, dx_2) leading to the explicit Algorithm 6. 
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Algorithm 6 Explicit Left-to-Right Generation of 2MOF 
Input: a non-zero n-bit binary string d — d„_i|d„_ 2 |...|di|do 
Output: 2MOF 5 — 5n|5n-i|...|5i|(5o of d 

d-i ^ 0 

i <-H c -I- 1 for the largest c with dc yf 0 
5n <—1 0; Sn—i <— I 0; . . . ; <5i+i <— i 0 
while i > 1 do 
if di-i = di then 
<-H 0; i <-H i — 1 
else {di-i / di} 

Si < — I — di di—2\ — I — di—2 -f dj_i; i < — i i — 2 

if i = 0 then 

do —do 

return d„, d„_i, di, do- 



Finally, Algorithm 7 merges the recoding stage and evaluation stage of scalar 
multiplication. 



Algorithm 7 Left-to-Right Scalar Multiplication Algorithm (On the Fly), w = 2 



Input: a point P, a non-zero n-bit binary string d = d„-i|dn- 2 |.-.|di|do 
Output: product dP 
d-i ^0; d„ <-H 0 

i <-H c -I- 1 for the largest c with dc ^ 0 
if di -2 = 0 then 
Q ^ P\ — 2 
else {di _2 = 1} 

Q^ECDBL(P); i^i-2 
while i > 1 do 
if di-i = di then 

Q^ECDBL(Q); i^i-1 
else {di-i / di} 

Q ^ECDBL(Q) 
if (di,di- 2 ) = (1,1) then 

Q ^ECDBL(Q); Q ^ECADD(Q, -P) 
else if (di,di- 2 ) = (1,0) then 

Q ^ECADD(Q, -P); Q ^ECDBL(Q) 
else if [di,di- 2 ) = (0, 1) then 

Q ^ECADD(Q,P); Q ^ECDBL(Q) 
else if (di,di- 2 ) = (0,0) then 

Q^ECDBL(Q); Q^ECADD(Q,P) 
i <-H i — 2 
if i = 0 then 

Q ^ECDBL(Q); Q ^ECADD(Q, -doP) 

return Q. 



The advantage of the previous algorithm is that it reduces the memory re- 
quirement since it does not store the converted representation of d. 
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6 Conclusion 

It was an unsolved problem to generate a signed representation left-to-right for 
a general width w. In this paper we presented a solution of this problem. The 
proposed scheme inherits the outstanding properties of wNAF, namely the set 
of pre-computed elements and the non-zero density are same as those of wNAF. 
In order to achieve a left-to-right exponent recoding, we defined a new canonical 
representation of signed binary strings, called the mutual opposite form (MOF). 
An n-bit integer can be uniquely represented by {n+ l)-bit MOF, and this repre- 
sentation can be constructed efficiently left-to-right. Then the proposed exponent 
recoding is obtained by applying the width w (left-to-right) sliding window con- 
version to MOF. The proposed scheme is conceptually easy to understand and 
it is quite simple to implement. Moreover, if we apply the width w (right-to-left) 
sliding window conversion to MOF, we surprisingly obtain the classical wNAF. 
This is the first carry- free algorithm for generating wNAF. Therefore the pro- 
posed scheme has a lot of advantages and it promises to be a good alternative to 
wNAF. We believe that there will be many new applications of this algorithms 
for cryptography. 
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Abstract. Pairing-based cryptosystems rely on bilinear non-degenerate 
maps called pairings, such as the Tate and Weil pairings defined over 
certain elliptic curve groups. In this paper we show how to compress 
pairing values, how to couple this technique with that of point compres- 
sion, and how to benefit from the compressed representation to speed 
up exponentiations involving pairing values, as required in many pairing 
based protocols. 

Keywords: pairing-based cryptosystem, efficient implementation. 



1 Introduction 

With the discovery of a viable identity-based encryption scheme based on the 
Weil pairing [5], pairing-based cryptography has become of great interest to 
cryptographers. Since then, pairing-based protocols - many with novel properties 
- have been proposed for key exchange [30], digital signature [6], encryption [5], 
and signcryption [28]. Although the Weil pairing was initially proposed as a 
suitable construct for the realisation of such protocols, it is now usually accepted 
that the Tate pairing is preferable for its greater efficiency. Supersingular elliptic 
curves were originally proposed as a suitable setting for pairing-based schemes; 
recent work has shown that certain ordinary curves are equally suitable, and 
offer greater flexibility in the choice of security parameters [3, 26]. Fast computer 
algorithms for the computation of the Tate pairing on both supersingular and 
ordinary curves have been suggested in [1,3, 12]. 

The Tate pairing calculation involves an application of Miller’s algorithm [24] 
coupled to a final exponentiation to get a unique value. A typical protocol step 
requires the calculation of a pairing value followed by a further exponentiation 
of the result. 

In this paper we explore the concept of compressed pairings, their efficient 
computation, and the subsequent processing (typically exponentiation) of pairing 
values. Our main contribution is to show that one can effectively reduce the 
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M. Franklin (Ed.): CRYPTO 2004, LNCS 3152, pp. 140-156, 2004. 
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bandwidth occupied by pairing values without impairing security nor processing 
time; in some cases, one even obtains a 30%-40% speed enhancement. Our work 
gives further motivation for the approach of Galbraith et al. [14] , who investigate 
the bit security of pairing values and show that taking the trace causes no loss 
of security. 

This paper is organized as follows. Section 2 introduces basic mathemati- 
cal concepts. Section 3 discusses laddering exponentiation of pairing values, and 
introduces a laddering variant of the BKLS [1] algorithm to compute pairings. 
Section 4 describes how to compress pairing values to half length, and establishes 
a connection with the techniques of point compression and point reduction. Sec- 
tion 5 defines a ternary exponentiation ladder for finite fields in characteristic 3. 
Section 6 describes how to compress pairing values to one third of their length, 
presents a more efficient and slightly simpler version of the Duursma-Lee algo- 
rithm [11] that enables pairing computation in compressed form, and discusses 
improved variants of point compression and point reduction in characteristic 3. 
We summarise our work in section 7. 



2 Mathematical Preliminaries 

The theory behind elliptic curve cryptography is well documented in standard 
texts. The reader is referred to [23] for more background. 

Let p be a prime number, m a positive integer and F^m the finite field with 
p"* elements; p is said to be the characteristic of Fp, and m is its extension 
degree. Unless otherwise stated, we assume p yf 2 throughout this paper. 

Let q = p™. An elliptic curve E(¥q) is the set of solutions (x,y) over F^ to 
an equation of form E \ + a\xy + a^y = + 02X^ + 04X + oq, where Oi G Fg, 

together with an additional point at infinity, denoted O. The same equation 
defines curves over F^k for fc > 0 (although note that the remain in F^). The 
number of points on an elliptic curve E{¥qk), denoted fi^E{¥qk), is called the 
order of the curve over the field F^j, . 

An (additive) Abelian group structure is defined on E by the well known 
secant-and-tangent method [29]. Let n = fi^E{¥qk). The order of a point P G E 
is the least nonzero integer r such that rP = O, where rP is the sum of r terms 
equal to P. The order of a point divides the curve order. For a given integer r, 
the set of all points P G E such that rP = O is denoted E[r]. We say that E[r] 
has embedding degree k if r \ — 1 and r \ q“ — 1 for any 0 < s < fc. In this 

paper we assume fc > 1. It is in fact not difficult to find suitable curves with 
this property for relatively small values of k as described in [2,7,10]. We are 
interested here in curves where k is even, as this case facilitates fast calculation 
of the Tate pairing [3] . 

For our purposes, a divisor is a formal sum A = '^p o,p{P) of points on 
the curve E{¥qk). An Abelian group structure is defined on the set of divisors 
by the addition of corresponding coefficients in their formal sums; in particular, 
nA = Yip {nap){P). The degree of a divisor A is the sum deg(A) = Yp^p- 
Let / : A(Fgfe) ^ F^fc be a function on the curve and let deg(A) = 0. We define 
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f{A) = Yip ■ The divisor of a function / is (/) = oi'dp(/)(P). A 

divisor A is called principal if A = (/) for some function (/). A divisor A is 
principal if and only if deg(A) = 0 and YlpapP = O [23, theorem 2.25]. Two 
divisors A and B are equivalent, A ^ B, if their difference A — ,8 is a principal 
divisor. Let P G A(Fq)[r] where r is coprime to q, and let Ap be a divisor 
equivalent to (P) — (O); under these circumstances the divisor rAp is principal, 
and hence there is a function fp such that (/p) = rAp = r{P) — r{0). The 
(reduced) Tate pairing of order r is the map : A(Fg)[r] x E{¥qk) F**, given 

by er{P,Q) = fp{VY ‘>^ for some divisor V ~ (Q) — (O). The Tate pairing 
is bilinear and non-degenerate; assuming fc > 1, one gets er{P,Q) yf 1 if Q is 
chosen from a coset containing a point of order r which is linearly independent 
from P. The computation of fp{P) is achieved by an application of Miller’s 
algorithm [24] , whose output is only defined up to an r-th power in F*j, . The final 
exponentiation to the power of {q^ — l)/r is needed to produce a unique result, 
and it also makes it possible to compute fp{Q) rather than fp{T>) [1]. Sometimes 
we will drop the r subscript of the Tate pairing, writing simply e(P, Q). 



2.1 Lucas Sequences 

Lucas sequences provide a relatively cheap way of implementing F ^2 exponen- 
tiation in a subgroup whose order divides q + 1. They have been extensively 
studied in the literature, and a fast “laddering” algorithm for their computa- 
tion has been developed [18, 19,32], using ideas originally developed by Lehmer 
and Montgomery [20,27]. Lucas sequences have been suggested as a suitable 
vehicle for certain public-key schemes (see [4]). The laddering algorithm can in 
fact be used as an alternative to the standard square-and-multiply approach to 
exponentiation in any Abelian group, but it is particularly well-suited for Lu- 
cas sequences and certain parameterisations of elliptic curves [19]. The authors 
of [19] go on to emphasise that the laddering algorithm requires very little mem- 
ory, facilitates parallel computing, and has a natural resistance to side-channel 
attacks when used in a cryptographic context. 

The Lucas sequence consists of a pair of functions Uk,Vk : F, x F^ — > Fg. 
Commonly one is interested in computing Uk{P, 1) and Vk{P, 1) for some field 
element P, in which case we write simply Uk{P) and Vk{P) or omit the arguments 
altogether. For this distinguished case the sequences are defined as 

C/o = 0, [7i = 1, Uu+i = PUk - Uk-i 
Vo = 2,Vi = P, Vk+i = PVk - 14-1 

Only the Vk sequence needs to be explicitly evaluated, as we also have the 
relationship 

Uk = {PVk-2Vk-i)/{P'^ -A) 

The fast laddering algorithm is described in Appendix A. Lucas sequences 
are useful in the exponentiation of certain field elements, as we will see next. 
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3 Exponentiating Pairing Values 

We consider first the case of embedding degree k = 2 (although the following 
discussion also covers the case k = 2d with the substitution q q'^). Recall that 
we assume the characteristic to be odd. 

We represent an element of the field F ^2 as a; + iy, where x,y G F^, and 
= S for some quadratic non-residue (5 G F^. Assume in what follows that all 
arithmetic is in the field F^. 

The final exponentiation in this case consists of a raising to the power of 
{q — !)((?+ l)/r. This can be considered in two parts - exponentiation to the 
power of q — 1 followed by exponentiation to the power of (g -I- l)/r. Now if the 
output of Miller’s algorithm is x + iy G F^ 2 , then 

{x + iyY~^ = {x + iyY /{x + iy) = {x — iy) /{x + iy) 

which is obviously much quicker than the standard square-and-multiply algo- 
rithm. The element a + ib = (a: -I- iy)'^~^ calculated in this fashion has the 
property: 

- <56^ = 1 (1) 

where — Sb^ is called the norm of a + ib; this property, easily verified by simple 

substitution, is maintained under any subsequent exponentiation. An element of 
this form in F ^2 is called unitary [16]. Also observe that (a -I- ib)~^ = (a — ib) 
for a unitary element. In fact, any element of F ^2 whose order divides g -I- 1 will 
have this property. 

A unitary element can obviously be determined up to the sign of b from a 
alone, using equation 1. And this is our first observation - the output of the Tate 
algorithm contains some considerable redundancy. It could be represented by a 
single element of F^ and a single bit to represent the sign of 6, rather than as a 
full element of F^ 2 . 

One can efficiently raise a unitary element of F ^2 to a power m by means of 
Lucas sequences. This is a consequence of the observation that 

(a + bi)"^ = Vm(2a)t2 + Um(2a)bi, 

as one can verify by induction. As pointed out above, only En(2a) needs to be 
explicitly calculated. 

If M is a multiplication and S a squaring in Fg, then the computational cost 
of this method to compute (a + bi)"^ is therefore IM -|- IS" per step, where a 
step involves the processing associated with a single bit of m (see appendix A) . 
The conventional binary exponentiation algorithm in F ^2 takes 1 squaring and 
about 1 /2 multiplication in F ^2 for an overall cost of roughly 2S + 5M /2 per 
step. If (5 = — 1, then this can be reduced to 2S + 3M/2 per step^. Thus the 
improved algorithm costs about 60% as much as the basic binary square-and- 
multiply method. When memory is not an issue the binary algorithm can be 

^ If a + foj is unitary and S = —1, one can compute (a + bi)^ as (2a^ — 1) -|- ](o-|-6)^ — l]i, 
and (a + bi){c + di) as {u — v) + {w — u — v)i where u = ac, v = bd, w = {a + b){c + d). 
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implemented by using windowing techniques, as described in [15]. However the 
laddering algorithm proposed here for unitary elements will always be faster 
than a conventional binary algorithm for a general element in F^ 2 . 

Note that this improvement is relevant not only for the second part of the 
final exponentiation of the Tate pairing, but for any exponentiation directly 
involving pairing values, as happens in many pairing-based protocols [5, 17,28]. 



3.1 A Laddering Pairing Algorithm 

For U,V G E{¥q), define gu,v to be the line through U and V. For all a,b G Z, 
the line function satisfies (gaP,bp) = (aP) + (bP) + (— [a + b]P) — 3(0). 

Let P G E(¥q), and for c G Z let fc be a function with divisor (/c) = 
c(P)-(cP)-(c-l)(0). One can show that fa+b(P) = fa('P)-fb(P)-gaP,bp('P)/ 
g[a+b]p,-[a+b]p('E) up to a Constant nonzero factor. This is called Miller’s for- 
mula. In the computation of the Tate pairing er(P,Q) for even k and a careful 
choice of P and Q (see [1,3]), this formula can be simplified to fa+b(Q) = 
fa(Q) ■ fb(Q) ■ gaP,bp(Q)- 

Let (rt, . . . , ro )2 be the binary representation of r. By coupling Miller’s simpli- 
fied formula with Montgomery’s scalar multiplication ladder, we get a laddering 
version of the BKLS algorithm [1] to compute 6r(P, Q): 

Laddering BKLS algorithm to compute er(P,Q)-. 

Vo ^ I, Vi ^ 1 

Ro ^ P, Ri ^ 2P 

for i ^ t — 1 downto 0 do 
if Ti = 0 then 

Vo ^ vl ■ gRq^Rq(Q), Ri ^ Ro + Ri 
Rq ^ 2Rq, Vi ^ vq ■ gRo,p(Q) 

else 

VI ^ w? • ffKi.Ki(Q), Ro ^ Ro + Rl 
Ri ^ 2i?i, Vo ^ vi ■ gR^-p(Q) 

end if 
end for 

return 

Although this algorithm has no computational advantage over the original 
BKLS, it may be useful in the same context of the laddering algorithms described 
in [19]. 

4 Compressing Pairings to Half Length 



Instead of keeping the full a bi value of the Tate pairing, it may be possible 
for cryptographic purposes to discard b altogether, leaving the values defined 
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only up to conjugation, which means one of the pairing arguments will only be 
defined up to a sign: 

e{P, Q) = a + bi ^ a — bi = {a + bi)~^ = e{P, Q)~^ = e{P, —Q). 

This is similar to the point reduction technique, whereby instead of keeping 
Q = (x,y) one only keeps the abscissa x. 

Definition 1. The F^-trace of an element u G F ^2 is the sum of the conjugates 
of u, tr(rt) = u + u'^ . 

Notice that tr(a + ib) = (a + ib) + (a — ib) = 2a, in effect discarding the 
imaginary part. We define the compressed Tate pairing e{P,Q) as tr(e(P, Q)) 



4.1 Point Reduction 

Point reduction is an optimization technique introduced by Miller in 1985 [25]. It 
consists of basing cryptographic protocols solely on the x coordinate of the points 
involved rather than using both coordinates. This setting is possible because the 
X coordinate of any multiple of a given point P depends only on the x coordinate 
of P. A related but less efficient technique is that of point compression, which 
consists of keeping not only the x coordinate but also a single bit j3 from the y 
coordinate to choose between the two roots y± = ±^/x'^ + ax + b. 

Some pairing-based cryptosystems have been originally defined to take profit 
from point reduction. An example is the BLS signature scheme [6], where the 
signature of a message represented by a curve point M under the signing key s is 
the x coordinate a of the point S = sM . This means that, implicitly, the actual 
signature is ±5' rather than S alone. To verify a BLS signature, the verifier checks 
whether e(M, V) = e(±S', Q), where the verification key is P = sQ. Incidentally, 
the verification key itself can be reduced to its x coordinate (say, ^), even though 
this possibility does not seem to have been considered by the authors of BLS. 

4.2 Coupling Point Reduction with Compressed Pairings 

Verifying a BLS signature involves computing a point V G {V,—V} from 
a point S' G {S', —5} from a and checking whether er{M,V') = e{S',Q) or 
e{M,V') = e(S',Q)“^. Using the property that any pairing value z is unitary 
(and hence z~^ = z), one can simply check whether tr(e(M, V')) = tr(e(S', Qf). 
This is especially interesting, since a compressed pairing e(P, Q) is precisely 
tr(e(±P, ±Q)). 

An important aside is that exponentiation of compressed pairings must take 
into account the fact that they are actually traces of full pairings. This means 
one cannot exponentiate a pairing as if it were a simple F^fc /2 value; rather, one 
must always handle it as a Lucas sequence element. 

^ Rubin and Silverberg [13] use traces to compress BLS signatures, but in an entirely 
different manner, and with a compression factor much closer to 1. 
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5 A Ternary Exponentiation Ladder 

Supersingular curves in characteristic 3 are a popular choice of underlying al- 
gebraic structure for pairing-based cryptosystems, since many optimisations are 
possible in such a setting [1,11,12]. Pairing compression is possible for those 
systems, and we now propose a ternary ladder for Lucas sequences in charac- 
teristic 3 that keeps the exponentiation cost in ¥gk within about 33% of the 
exponentiation cost in ¥^k/ 2 . 

Assume the sequence element index is written in signed ternary notation, 
K = (dt-i) ■ • ■ , do)g, with dt-i = 1. At step j (counting downwards from t — 1 
to 0), we want to compute Vk^ where Kj = di3^~^ . Thus, by definition, 

Kj = dj. 

For dj = —1, we write down the formulas to compute V 3 Kj+i- 2 , 
and Vax.+i: 



k3X, + i-l = PV3Kj+i-2 - 
%3X, + i-2 = 

Similarly, for dj = 1 we write down the formulas to compute VsXj+i ? 
and V 3 Kj+^+ 2 ^■ 



= Vi,,, 

V3Kj+, + l = PV3Kj„+2 - VKi+, + 1 
V3Kj+,+2 = PV3K^„ + 1 - Vi,^, 

In each case, the second and third relations constitute a simple linear system. 
Solving them, we get these expressions for V 3 Kj,,-i, V 3 Kj,,^ and V 3 Kj,,+i'- 

V3K,„-1 = {P^ - l)-\PVl^, + 

= (p2 _ l)-^[PVi,^, + {PVk,„ - VK,„+if] 

= (p2 - i)-i[(p + p^)vi,„ - 

V3K,„ = 

V3K,„ + 1 = {P^ - l)-\PVi,^, + 

= (p2 - l)-^[PVi,^, + {PVk,„ - VK,„-if] 

= (p2 _ 1)-1[(P + 

If (P^ — 1)”^ and P -I- P^ are precomputed, computing V 3 Kj„ and one of 
V^Kj,,-! or V 3 Kj,,+i involves two products and two cubes, and the computation 
can be carried out using only Vxj,, and one of Vxj,,-! or VKj,,+i- We can 
therefore keep track of which value between these two actually accompanies 
hxj+i, and compute Vk^ and Vk^+i at the cost of only 2 products and two 
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cubes per step. Besides, since we are working in characteristic 3, the cost of 
cubing is negligible compared to the cost of multiplying. 

The binary ladder computes Vk^ and Vk^+i at the cost of one squaring 
and one product, or about 1.8 product, per step. However, the step count of 
the ternary ladder is only about l/lg(3) of its binary counterpart, and hence 
its total cost is about 70% of the binary ladder. We point out that the ternary 
ladder can be used for plain exponentiation in characteristic 3 as an independent 
technique, even in contexts where compressed pairings are not desired or not an 
option. 

A detailed ternary ladder algorithm is described in Appendix A. 



6 Compressing Pairings to a Third of Their Length 

Definition 2. The F^ 2 -trace of an element / € F^e is the value tr(/) = / + 
/«'+/«' GF, 2 . 

The trace is Fg 2 -linear: tr(au) = atr(rt) for any a G F ^2 and u G F^e. 

When the elliptic curve has an embedding degree k = 6, the Tate pairing 
algorithm outputs an element of F^e of order r, where r divides g® — 1, but not 
q* — 1 for 0 < z < 6. Now g® — 1 = d>i(( 7 )<I) 2 (<?)‘h 3 (<?)‘h 6 ('z)- Therefore the output 
of the Tate pairing is an element of order r which divides d>g(( 7 ) = — q + 1. 

For <7 = 2 (mod 3), these are precisely the type of points considered in the 
XTR public key scheme [21] (which is based on the ideas of [ 8 ]), and all of the 
time/space optimizations that have been developed for this scheme [21, 31] apply 
here as well. In particular, we note that laddering algorithms again appear to be 
optimal [31], and the Tate pairing output can be represented by its F^ 2 -trace, and 
hence compressed by a factor of 3. Observe that the compressed value, being a 
trace, must be implicitly exponentiated using the Lenstra-Verheul algorithm [21, 
Algorithm 2.3.7] - the trace value per se is not even a point of order r. 

For supersingular curves in characteristic 3 we can do better than merely take 
the trace - rather, it is possible to do nearly all computations without resorting 
to arithmetic any more complex than that on F^ 2 . 

6.1 Simpler Arithmetic for Pairing Computation in Characteristic 3 

Let (7 = 3™ for some to = 1,5 (mod 6), let b = ±1, and let cr,p G F^e be 
elements satisfying cr^ + 1 = 0 and — p — b = 0. The modified Tate pairing 
on the supersingular curve ^(Fsm) : y'^ = — x + b is the mapping 6r{P, Q) = 

where (j) • ^ EfF^e) is the distortion map (j){x,y) = 

{p-x,ay). 

Duursma and Lee showed [11, Theorem 5] that the modified Tate pairing for 
points P = {a, fi) and Q = {x,y) can be written as a product of factors of form 
g = (3ya — {a + x — p+bfi. This expression can be rewritten as g = \ — p,p — p^ , 
where p, = a + x + b & F q and A = (3ya — pfi & F ^2 . Specifically, the Duursma-Lee 
algorithm to compute fp{4>{Q)) is as follows (cf. [11, Algorithm 4]): 
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Duursma-Lee algorithm to compute fp{4>{Q))- 

/-I 

for z ^ 1 to TO do 

a ^ a^, (3 ^ 

^ a + X + b, A<— j3ya — 
g ^ X - fip - p'^, f ^ f -g 
X ^ x^/^, y <— y^/^ 

end for 
return / 

The output is an element / G F^e. We now show that this algorithm can 
be modified to compute tr(/) instead, by maintaining a ladder of three values 
[tr(/),tr(/p),tr(/p^)]. Since / is initialized to 1, the initial ladder can be com- 
puted from p alone, namely, [tr(l), tr(p), tr(p^)] = [0, 0, 2], as one readily deduces 
from the definition of p\ 

Theorem 1. Let q = 3"^ for some to = 1,5 (mod 6), and let p G F^e satisfy 
p^ — p — b = 0. Then tr(p) = 0 and tr(p^) = 2. 

Proof. From p^ = p + b it follows by induction that p^ = p + nb, and hence 
p® = p^ =p+2mbsmdp^ = p^ = p -I- to 6, so that tr(p) = p -|- + p^ = 
p + p + 2mb + p + mb= 0. Moreover, (p^)^" = {p^"Y = (p-l-n6)^ = p"^ — nbp + n^, 
so that tr(p^) = p^ + (p^)^^ + (p^)^^ = p^ + p^ — 2mbp+{2mY + p^ — mbp+m^ = 2. 

□ 

At each step of the loop, we compute [tr(/p),tr(/pp),tr(/pp^)] according to 
the following theorem: 

Theorem 2. 

1 rtr(/) 1 r A -p -1 ■ 

tr(fgp) =A- tr(fp) , where A = —b (A — 1) —u 
_tr(/pp2)J [tr(/p2)J \_-hp -(p + 6) (A-l)_ 

Proof. Using the F^ 2 -linearity of the trace and the defining property p^ = p+b, 
we have fg = /(A-pp-p^) ^ tr(/p) = Atr(/)-ptr(/p)-tr(/p2). Similarly, 
fgp = /(A - PP - P^)p = A/p - p/p2 - fp-bf tr(/pp) = -6tr(/) -f 

(A - l)tr(/p) -ptr(/p2). Finally, /pp^ = -bfp+{\-l)fp'^ - pfp- p.bf 
tr(/pp^) = -Tbtr{f) - (p -f 6) tr(/p) -f (A - 1) tr(/p2). □ 

Therefore, defining L = [Lq, Li, L 2 ]"'" = [tr(/), tr(/p), tr(/p^)]^ and using 
the matrix A defined above, the modified algorithm to compute pairing traces 
reads: 
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A laddering algorithm to compute tr(/p(^(Q))): 

L ^ [0,0,2] // = [tr(l),tr(p),tr(p2)] 

for z ^ 1 to TO do 

a ^ a^, (3 ^ 

^ ^ a + X + b, A<— j3ya — 

A-L 

X ^ x^/^, y ^ y^/^ 

end for 
return Lq 

However, to obtain a unique pairing value suitable for pairing-based protocols 
we need tr(/p((^(Q))^^''“^^^'’) rather than tr{f p{(f){Q))) . Let e = fp{(j){Q))- The 
simplest (and seemingly the most efficient) way to do it is to recover e from all 
three components of L = [tr(e), tr(ep), tr(ep^)]. 

We use the Fg 2 -linearity of the trace and fact that {l,p, is a basis of F^e 
with respect to F^ 2 , i.e. any element e G F^e can be written as e = x + yp + zp^ 
where x,y, z G F^ 2 . The trick is straightforward: 

1. Lo = tr(e) = tr(a;-|-z/p-|-zp^) = a:tr(l)-|-z/tr(p)-|-ztr(p^) = 2z z = —Lq. 

2. Li = tr(ep) = tr{xp + yp^ + z{p + b)) = 6z tr(l) -|- (a; -I- z) tr(p) -|- z/tr(p^) = 

‘^y ^ y = -Li- 

3. L 2 = tr(ep^) = tr(a;p^ -I- y{p -|- 6) -|- z{p^ + bp)) = 6ptr(l) -I- (y -I- bz) tr(p) -|- 
{x + z) tr(p^) = 2(a; -I- z) x = Lq — L 2 - 

Thus we recover e from the pairing ladder essentially for free. Now one must 
compute g = e*-'^ and then take the trace of g. This can be efficiently done 

using the techniques described in [1, Appendix A. 2], at a cost roughly equivalent 
to a few extra steps of the laddering algorithm. 

Each step of this laddering algorithm takes 17 Fg multiplications. This com- 
pares well with the original Duursma-Lee algorithm where each step takes 20 Fg 
multiplications, and avoids F^e arithmetic in the main loop. 

6.2 Implicit Exponentiation in Characteristic 3 

It is quite commonplace that the pairing value undergoes further exponentiation 
as dictated by the underlying cryptographic protocol. We are thus confronted 
with the task of computing tr(y'") given the value of tr(y). The Lenstra-Verheul 
algorithm [21, Algorithm 2.3.7] performs this task for characteristic p = 2 
(mod 3). We now describe a variant tailored for characteristic 3. 

Let c G Fg 2 , and let F{c,X) = — cX'^ + d^X — 1 G Fg 2 [A] with roots 

ho, hi, h 2 G Fg 6 . One can show [21, Lemma 2.2.1] that, if 5 G F^e is an element 
of order dividing d) 6 (( 7 ) = — q + 1, then the roots of E(tr(y), A) are the 

Fg 2 -conjugates of g. Defining c„ = hg -I- h” -I- h^, one can further show [21, 
Lemmas 2.3.2 and 2.3.4] (see also [9]) that c_„ = and Cu+v = c„Ci, — clcu-v + 
Cu- 2 v The proofs of these properties are independent of the field characteristic. 
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From the above properties, one easily deduces the following relations that 
hold in characteristic 3: 



C2n — 

C3n — 

C3n— 1 — C2n ‘ 1 ’ C 2 

C3n— 2 — C ^ ' (^Cn—1 -\- C ^ ' C^ji—i 

t'3n+l — C2n ‘ ^n-\-l t^n+1 ’ ^n—1 “t“ C2 

t-3n+2 — C • (c,2-|_i Cti) 

Computing C 2 n takes two multiplications, C 3 „±i takes four Fg multiplications, 
and C 3„±2 takes six Fg multiplications. 

Define L„(c) = (c 3 „, C 3 „+i, C 3 „+ 2 , C 3 „+ 3 ) e (Fq 2 )^. Using the above formulas, 
one can compute any one of L 3 „(c), L 3 „+i(c), or L 3 „+ 2 (c) from Ln{c) at the 
cost of 12 Fq multiplications: 

Ld,n = (cgn, Cg„+1, Cg„+2, Cgn+s) = (c3(3„), C3(3„_|_i)_2 , C3(3„_|_i)_i , C3(3„_|_i) ) 

L'in+1 = (cg„+3, Cg„_|_4, Cg„_|_5, Cgn+e) = (c3(3„+i) , C3(3„_|_i)_|_i , C3(3„_|_2)_i , C3(3„_|_2) ) 
Lsn+2 = (cgn+6, Cg„_|_7, Cg„_|_8, Cg„+g) = (C3(3„_|_2) , C3(3„_|_2) + i , C3(3„_|_2)+2 , C3(3„_|_3) ) 

From the definition of c„, it is clear that c„ = tr(g”) if c = tr(g). Hence, 
if L|^„/ 3 j(tr( 5 )) = (S'o,5'i,S' 2,S'3), then tr(g”) = 5„niod3- The total cost of 
this algorithm, about 7.6 Ign Fg multiplications, matches the complexity of the 
ternary ladder introduced in section 5 for F^s-trace exponentiation. Appendix B 
lists this algorithm in detail. We point out that this ternary ladder can also be 
the basis of a characteristic 3 variant of the XTR cryptosystem. 

6.3 Coupling Pairing Compression with Point Reduction 

A nice feature of this algorithm is that it is compatible with a variant of the 
point reduction technique. 

The conventional approach to compress a point R = (u, v) is to keep only u 
and a single bit of v; point reduction discards v altogether. In characteristic 3, it 
is more advantageous to discard u instead, keeping v and a trit of u to distinguish 
among the solutions of the curve equation — u + {b — v^) = 0; alternatively, 
one can reduce R by keeping only v and modifying the cryptographic protocols 
to allow for any of the three points i?o> and i ?2 that share the same v. Thus, 
we will show that the input to the laddering algorithm of section 6.1 can be only 
y (or (3); the corresponding x (or a) can be easily recovered except for a trit, 
and the actual choice of this trit does not affect the compressed pairing value. 

Let 2 G F^6 where g = 3™ for odd m, and assume the order r of z divides 
<I>6('z)) be. r I — q + 1. The conjugates of z are z, z^ , and z'^ , or equivalently 
z, z'^“^, and z~'^, since q'^ = q — 1 (mod r) and = —q (mod r). The trace 
of z is the sum of the conjugates, tr(z) = z + z^“^ + z~'^ [21]. Consider the 
supersingular elliptic curve E : — x + b, b G {—1, 1}, whose order is [23, 
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section 5.2.2] n = g+ l- t = 3™ + l± where t = is the 

trace of the Frobenius. 

Let P = (x,y) G E{¥q), and let Q G E(¥qe) be a linearly independent 
point. The conjugates of e{P,Q) are e{P,Q), e(P, = e{[q — 1]P,Q), and 

e(P, Q)~'^ = e{—qP, Q). The following property holds: 

Lemma 1. If P G E[r], points P, [g — 1]P, and —qP share precisely the same 
y coordinate. 

Proof. Let P = (x,y). A simple inspection of the group law for characteristic 3 [1] 
reveals that 3P = (x® — b, — y®), and hence 3^P = (a;®^ — jb, (— l)^y®^). Thus 
[q — 1]P = q^P = 3®"*P = (a;®^™ — 2mb, (— l)®™!/®^™) = (a;®"'™ + mb, y^*”") = 
(x + mb, y), where we used the fact that vf = u for any u G Fsm. Similarly, 
—qP = q^{q^P) = q^{x + mb, y) = {x — mb, y). □ 

We see that, for m ^ 0 (mod 3), the x coordinates of P, [q — 1]P, and —qP 
are the three solutions to x^ — x+{l — y‘^) = 0, which are exactly {a;, a:+ 1, a; + 2}. 
Obviously, the traces of the pairings computed from the conjugates of P are all 
equal, since tr(e(P, Q)) is simply the sum of the conjugates of e{P,Q). Thus, 
the actual solution x to the curve equation above used to compute tr(e(P, Q)) is 
irrelevant. Also, computing x from y is very efficient, since it amounts to solving 
a linear system (see appendix C). 

7 Conclusions 

We have introduced the notion of compressed pairings, and suggested how they 
can be realised as traces of ordinary Tate pairings. We also described how com- 
pressed pairings can be computed and implicitly exponentiated by means of 
laddering algorithms, with a compression ratio of 1 /2 in characteristic p > 3 
and 1/3 in characteristic 3; our algorithms thus reduce bandwidth requirements 
without impairing performance. Finally, we showed how to couple compressed 
pairings with the technique of point compression or point reduction. As a side 
result, we proposed an efficient laddering algorithm for plain exponentitation in 
characteristic 3, which can be used even in contexts where compressed pairings 
are not desired. 

Our work constitutes evidence that the security of pairing-based cryptosys- 
tems is linked to the security of the Lucas/XTR schemes, and gives further 
motivation for the approach of Galbraith et al. regarding the use of traces to 
prevent security losses. 

We leave it as an open problem to find a method to compute pairings directly 
in compressed form when the compression ratio is 1 /3 or better on ordinary 
(non-supersingular) curves in characteristic p > 3. 
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A Computation of Lucas Sequence Elements 

The Lucas sequence Ei(P, 1) for some field element P is defined by the following 
recurrence relations: 



Eo = 2, El = P, E„+i = PVn - E„_i. 

Let n = {nt ■ ■ ■ no )2 be an integer in binary representation, with nt = 1. The 
Lucas sequence element E„(P, 1) can be computed as: 

Vo ^2, vi ^ P 

for j ^ t downto 0 do 
if Tij = 1 then 



® « • 

o 

t 


- VgVi 


-P, 


Vl 4- 


- vf — 2 


Vi ^ 

end if 


- VqVi 


-P, 


Vg <- 


-v^g- 2 



end for 
return vq 



Let n = {nt ■ ■ ■ u-olg be the signed ternary representation of n ^ 0. The 
Lucas sequence element Ei(P, 1) in characteristic 3 (as needed for the implicit 
exponentiation of F^s-traces of F^e values) can be computed using the following 
algorithm: 

^^(p2-l)-i, T^P + P3 
uo ^2, <— P, up ^ true 

for j ^ t downto 0 do 

W ^ Vg 

if Uj = —1 then 

Vq ^ if up then p{Tw — vf) else p{Pw + vf) 

V\ ^ w 

up ^ true 
else if Uj = 1 then 



Vo 


^ if up then p{Pw + Ui) else p{Tw 


Vl 


^ w 


up 


^ false 


else /* 


II 

o 


Vl 


^ if up then p{Pw + Ui) else p{Tw 


Vo 


^ w 


up 


^ true 


end if 




end for 




return vg 
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B Implicit Exponentiation of F^fc/s-Traces 

Let n = (rit ■ ■ ■ no)^ be the plain ternary representation of n ^ 0. The following 
algorithm computes the F^ 2 -trace c„ = tr(g") of an element g G F^e from its 
Fg 2 -trace c = tr(g). 

c-i ^ c« • (c« • c)-i // N.B. (c« • c) G F, 

C9-1 ^ • C~\ C-« ^ ^ (C«-1)«, C2 ^ c2 +C« 

So ^ 0, Si ^ C, S2 ^ C2, S3 ^ 

for j ^ t downto 0 do 
if Uj = 0 then 

S'o^Sf 

S'^ ^ (^2 ^ _ gg ,s^ + c2 

S[ ^ c-1 ■ {So - Sif + ci-« • 5' 

^'0 ^ ^0 

else if Tij = 1 then 

51 

5 2 ^ S2 

-S'! ^ (s? + sf ) • S2 — S2 • S'o + c| 

^ g3 

^2 ^ (®2 + ^2) ■ Si — s\ ■ S3 + C2 
S'3^sl 

else /* Uj = 2*1 

^0 ^ ^2 

S[ ^ {Si + SI) ■ S3 - SI ■ Si + cl 
SI ^ c-i • ( 5 s - 52)3 + ci-« • S[ 

S'3 - Si 

end if 
end for 
return 5„ mod 3 



C Solving the Cnrve Equation in Characteristic 3 
Definition 3. The absolute trace of a field element a G Fam is the linear form: 
tr(a) = a + + a® + h 

The absolute trace will always be in F 3 as one can easily check by noticing 
from the above definition that tr(a)3 = tr(a), for all a G Fam. Being surjective 
and linear over Fa, it can always be represented as a (usually sparse) dual vector 
T G Fam in a given basis, so that one can compute tr(rt) = T • m in no more than 
0{m) time. In a normal basis {0® } with tr(0) = 1, computing tr(rt) amounts to 
summing up all coefficients of u. 

The coordinates of a curve point P = {x, y) are constrained by the curve 
equation to satisfy y® = x^+ax+b. Thus one can represent a point as either {x, fi) 
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where /3 G F 2 indicates which of the two roots correspond to y = + ax + b, 

or else by (t, y) where t G F 3 indicates which of the three solutions one has to 
take of the equation + ax + {b — y“^) = 0. In characteristic 3, cubing is a linear 
operation, which makes the second possibility more advantageous. 

Consider the special equation x^ — x — u = 0 for a, given u G Fsm, which is 
relevant for supersingular curves in characteristic 3. This equation has a solution 
if, and only if, tr(u) = 0 [22, theorem 2.25]. This is the case for 1 /3 of the elements 
in Fam , since the trace function is linear and surjective. The complexity of solving 
the cubic equation is only O(m^), as we show now. 

Let C : Fam ^ Fsm be defined by C{x) = x^ — x. The kernel of C is F 3 [22, 
chapter 2, section 1], hence the rank of C is m — 1 [16, section 3.1, theorem 2]. 

Theorem 3. The equation x^ — x — u = 0 over Fam can he solved in 0{m?) 
steps. 

Proof. If Fam is represented in standard polynomial basis, the cubic equation 
reduces to a system of linear equations with coefficients in F 3 , and can be solved 
in no more than 0{mf) steps. This is achieved by first checking whether the 
system has solutions, i.e. whether tr(«.) = 0. If so, since the rank of C is m — 1 
one obtains an invertible (m — 1) x (m — 1) matrix A by leaving out the one row 
and correspondingly one column of the matrix representation of C on the given 
basis. A solution of the cubic equation is then given by an arbitrary element 
a;o G Fa and by the solution of system Ax = u, which is obtained as i = A~^u 
in 0{mf) time. 

Using a normal basis to represent field elements, it is not difficult to see 
that the cubic equation can be efficiently solved in 0(m) time by the following 
algorithm (the proof is straightforward and left as an exercise): 

Cubic equation solving in normal basis: 

xq <— root selector (an arbitrary element from F 3 ) 

for t^ltoTO— ldo{ 

Xi ^ Xi—1 Ui 

} 

a; is a solution if, and only if, Xm-i = xq + uq. 

□ 
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Abstract. We introduce a compact and efficient representation of ele- 
ments of the algebraic torus. This allows us to design a new discrete- 
log based public-key system achieving the optimal communication rate, 
partially answering the conjecture in [4]. For n the product of distinct 
primes, we construct efficient ElGamal signature and encryption schemes 
in a subgroup of F^n in which the number of bits exchanged is only a 
<^(n)ln fraction of that required in traditional schemes, while the se- 
curity offered remains the same. We also present a Diffie-Hellman key 
exchange protocol averaging only <^(n) logj q bits of communication per 
key. For the cryptographically important cases of n = 30 and n = 210, 
we transmit a 4/5 and a 24/35 fraction, respectively, of the number of 
bits required in XTR [14] and recent CEILIDH [24] cryptosystems. 



1 Introduction 

In classical Diffie-Hellman key exchange there are two fixed system parameters 
- a large prime q and a generator g of the multiplicative group F* of the field 
Fq. In [10], the idea of working in finite extension fields instead of prime fields 
was proposed, but no computational or communication advantages were implied. 
In [26] Schnorr proposed working in a relatively small subgroup of F* of prime 
order, improving the computational complexity of classical DH, but requiring 
the same amount of communication. 

In [4] it is shown how to combine these two ideas so that the number of bits 
exchanged in DH key exchange is reduced by a factor of 3. Specifically, it is shown 
that elements of an order r subgroup G of F*^ can be efficiently represented 
using 21 og 2 q bits if r divides q^ — q + 1, which is one third of the 61 og 2 q bits 
required for elements of F*^. Since the smallest field containing G is F*g, one 
can show [13] that with respect to attacks known today, the security of working 
in G is the same as that of working in F*f^ for r large enough. In [14, 15] the 
XTR public key system was developed using the method of [4] together with an 
efficient arithmetic to achieve both computational and communication savings. 
These papers also show how to reduce communication in ElGamal encryption 
and signature schemes in . 
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In [4] it was conjectured that one can extend this technique to any n by 
working in the subgroup of F*„ of order 'Pn{q), where <Pn{x) denotes the nth 
cyclotomic polynomial. Since the degree of is 4>(n), where (j) is the Euler 

function, one could transmit a (j){n) jn fraction of the number of bits needed in 
classical DH, while achieving the same level of security. For n the product of 
the first k primes, (j>{n)ln ^ 0 as A: ^ oo, so the savings get better and better. 
In [3,24], evidence that the techniques of [4] cannot generalize to arbitrary n 
was presented, and in [3, 24], some specific versions of the conjecture in [4] made 
in [3] were shown to be false. Also in [24,25,23] it is shown that the group of 
order <l>n{q) is isomorphic to the well-studied algebraic torus Tn{Fq) [30] and 
that a positive answer to the conjecture in [4] is possible if one can construct 
an efficient rational parameterization of Tn{Fq). However, such a construction 
is only known when n is a prime power or the product of two prime powers, 
although it is conjectured to exist for all n [24, 30] . In [24] a construction is 
given for n = 6, which is the basis for the CEILIDH public-key cryptosystem. 
CEILIDH achieves the same communication as XTR with a few computational 
differences. 

In this paper we finally break the “n < 6 barrier” by constructing, for every 
n, efficient ElGamal encryption and signature schemes in F*n, which require 
transmitting at most a 4 >(n)/n fraction of the bits required in their classical 
counterparts. Further, we present an asymptotical variant of DH key exchange 
in which the average number of bits exchanged per key approaches (j){n) log 2 q. 
The key property that we use is the fact that is stably rational (see [30], 

section 5.1). Specifically, our enabling technique is the construction of efficiently 
computable bijections 9 and 9~^ with 

9 . Trf^i^Fq) X fj,{n/d) — — l^qd^ ^ ^ d\n, fi{n/ d) — l^qd : 

where x denotes direct product, and yt is the Mobius function^. This allows 
us to bypass the torus conjecture of [24], by relaxing the problem of efficiently 
representing a single symbol of Tn{Fq), to the problem of efficiently representing 
a sequence of symbols in Tn{Fq). Our bijections enable us to compactly represent 
m elements of Tn{Fq) with {m 4 >(ji) + ti(n/d)=-i 9 which for large 
enough m, is roughly 4>(ji)logq bits per element. We stress that while our key 
exchange protocol achieves the optimal n/<j){n) reduction factor asymptotically, 
our encryption and signature schemes achieve this even for the encrypting or 
signing of a single message. 

Note that the domain and range of 9 need not be isomorphic. Indeed, letting 
Gd denote the cyclic group of order d, if n = 2 and q = 3, then the domain 
of 9 is isomorphic to G 4 x G 2 , while the range is isomorphic to Gg. We show, 
however, that 9 can be decomposed into isomorphisms plus a map requiring a 
table lookup. We show how to choose q so that constructing and querying this 
table is extremely efficient. 

^ For an integer n, yin) = 1 if n = 1, y{n) = 0 if n has a repeated factor, and 
yin) — (—1)*^ if n is a product of k distinct primes (see [11], section 16.3). 
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Our choice of q and r for fixed n will also affect the security of our scheme. 
We give an efficient heuristic for choosing q and r for the practical cases of 
n = 30 and n = 210, where we achieve a communication reduction by factors 
of 15/4 and 35/8, respectively. Further, for any n, we give an efficient algorithm 
for choosing q and r with a theoretical guarantee on its performance. This latter 
algorithm is primarily of theoretical interest, showing how to optimally choose 
q and r when n tends to infinity for a sufficiently large security requirement. 

While our main focus and contribution is on the communication complexity, 
we also calculate the amount of computation necessary to evaluate 9 and 9~^ 
for general n, and we attempt to minimize the number of modular exponentia- 
tions. We show that our representation enjoys some of the same computational 
advantages of CEILIDH over XTR, including the ability to multiply elements 
of Tn{Fq) directly. This allows us to come close to the non-hybrid version of El- 
Gamal encryption in [24] . Indeed, in addition to constructing a hybrid ElGamal 
encryption scheme, we construct a scheme in which to encrypt m messages, we 
form m ElGamal encryptions in Tn{Fq) plus one additional encryption using a 
symmetric cipher. Unfortunately, the computational complexity of our scheme 
is not that practical, whereas XTR for instance, permits very efficient compu- 
tations if just exponentiation is required. For n = 30, we hand-optimize the 
computation of 9 and 9~^. Our analysis for general n shows that all of our pro- 
tocols and algorithms are (theoretically) efficient in n and the sizes of q and r. 

Outline: Section 2 discusses the algebraic and number-theoretic tools we use. In 
section 3 we construct the bijections 9 and 9~^. Section 4 shows how to choose 
system parameters to guarantee security and efficiency, giving both a practical 
algorithm for n = 30 and n = 210, and a theoretical algorithm for general 
n. In section 5 we discuss our cryptographic applications. Section 6 treats the 
computational complexity of our bijections, and we conclude in section 7. 



2 Preliminaries 

2.1 Cyclotomic Polynomials and Algebraic Tori 

We first state a few facts about the cyclotomic polynomials. See [19] for more 
background. 

Definition 1. Let n be a positive integer and let Cn = The nth cyclotomic 

polynomial <Pn(x) is defined by: 

l<fe<n, gcd(fc,n) = l 



It is easy to see that the degree of d>n{x) is (p{n), where (j) is the Euler-totient 
function. We also have: 

- 1 = 

d\n 
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and using the Mobius function /i, 

<|)„(a;) = 

d\n 

It can be shown that the cyclotomic polynomials are irreducible polynomials 
over Q with integer coefficients. For q a prime power, let Fq denote the finite 
field with q elements. For integers n > 0 we define the algebraic torus^ Tn{Fg): 

T„{Fq) = {a G I = 1}. 

2.2 Number Theory 

The following is the celebrated prime number theorem (see [11], chapter 22): 

Theorem 1. For large enough n, the number of primes less than or equal to n 
is T^ + 

We also need the fact that for any n > 6 , > n /(6 In In n), and for n the prod- 

uct of the first k distinct primes, (j){n) = 0{n/ \og\ogn). We use the following 
density theorem in our analysis: 

Theorem 2. (Chebotarev [5,16]) For any integer n and any a G the 
density of primes p (among the set of all primes) with p = a mod n is l/(j>{n). 

3 The Bijection 

Let g be a prime power, n a positive integer, F*n the multiplicative group of 
the field of order g”, and Tn{Fq) the ())(n)-dimensional algebraic torus over Fq. 
For an integer k, let [k] = {1, 2, . . . , fc}. The goal of this section is to construct 
efficiently computable bijections 0 and 9~^, where 

0 • Tni^Fq) X fi(n/d) — — l ^ ^d\n, fi{n/d) — l • 

Our strategy is to first find efficient bijections 7 and 7 “^, where 

^ x<i|„Td(F,). 

Note that in general F*„ and x^^nTdiFq) need not be isomorphic. Let Gm de- 
note the cyclic group of order m. We first need a few lemmas. The following is 
an immediate consequence of the structure theorem of abelian groups, but for 
completeness and to exhibit the efficient isomorphisms, we include it: 

Lemma 1. Suppose n = r\ ■ r 2 ■ • • r^ for pairwise relatively prime positive inte- 
gers ri , . . . , rfc . Then there exist efficiently computable isomorphisms p : G„ ^ 
^i^[k]Gn and u . ^ i^[k]Gn ^ G^. 

^ Technically, Tn{Fq) just refers to the Fq points of the algebraic torus rather than 
the torus itself (see [24,30]). 
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Proof. For i G [fc], put di = n/ri. Since the are pairwise relatively prime, 
gcd(di, (i 2 , . . . , dk) = 1, so there exist integers a for which Cjdi = 1- For 

a G Gn, define p{a) = {a‘^')i^[k\- Since = 1, p maps elements of G„ 

to elements in the product group Xi^[k]Gn- For (ai)ig[fe] G XieffejGri, define 
[fe]) = Hie where multiplication occurs in G„. 

The claim is that p and cr are inverse isomorphisms between Gn and Xi^^k]Gn- 
For a G G„, we have a{p{a)) = (r((a‘^*))ig[fc] = Oieffc] = a. Similarly, for 
(cti)ig[fc] G Xjg[fc]Gri, "''^6 have 



P(^(('ai)ig[fe] )) P 





ie[fc] 



Now, Vj I di if j yf i, so in this case = 1. Also, = a\ 
for an integer k, so Hence, p(o'((ai)ig[fe])) = (o;i)ie[fe], which shows 

p and a are inverses. Observe that p(ai • 02 ) = ((cri • cr2)‘^0iG[fe] = ' 

(a 2 ')*e[fc] = P(ai)-p(a 2 ), and similarly cr((ai),g[fc] • (a'),g[fc]) = n»e[fc] (“» '“O'"' = 
Y{^^[k]i.(^iY' n*e[fc](«'i)®' = cr((ai)*G[fc]) • CT((a')*6[fc]), which shows that the maps 
are isomorphisms. Computing p and a just requires multiplication and exponen- 
tiation, which can be made efficient by repeated squaring. 



i-E 






= Of, 



l — kvi 



Let U = U{n,q) be the smallest positive integer for which gcd(^d(9), ^e(9), 
2-^) = 1 for all d yf e with d \ n and e | n. 

Lemma 2. For d \ n, let yd = gcd{^d{q), Then F*„ = Gu x {xd\nGy^). 

Furthermore, the isomorphisms are efficiently computable. 



Proof By lemma 1 it suffices to show (1) g” — 1 = (2) for all d, 

gcd{U,yd) = 1, and (3) for all d yf e, gcd{yd,Ve) = 1- 

Using the fact that g” — 1 — rid|n d>d{q), the following establishes (1): 



2^ = gcd ('n^..(,). ( m ,). 5^) = 

yrf|n J d\n d\n 

where the second equality follows from the definition of U. For (2), observe that 

gcd{U,yd) = gcd (^U,<Pd{q), ^ ^ | gcd ^ jj 

since if prime p | G, by minimality of G there exist d yf e for which p \ 
gcd{Fd{q),^e{q)), so if p | ^1^^ then p | gcd(<?d(g), ^e(g), a contra- 

diction. To see (3), note that gcd{yd,ye) = gcd{<Pd{q),<Pe{q), = 1 by the 
definition of G. 




162 Marten van Dijk and David Woodruff 



We use the following bijections with complexity proportional to U, which we 
later show to be negligible for an appropriate choice of q. 

Lemma 3. For d \ n, let Zd = gcd(F d{q),U). There exist bijections between 
Gjj and requiring 0{\ogU + logn + loglogg) time to evaluate and 

0 (C/n^+'^ log 9 ) space for any e > 0. 

Proof. Using the definition of U, 

n U) = gcd j U ] = gcd(<?" ~l,U) = U, 

d\n d\n \ d|n j 

so there exists a bijection between the two groups. Choose a generator g of 
G [7 and generators ga of Gz^. For each i G [[/], make a table entry mapping 
g* to a unique tuple {g'‘^')d\n- Since the sum of the divisors of n is less than 
0(n^+'^) for any e > 0 ([11], section 18.3), the table consumes 0(C/n^+*^ logg) 
space. We sort the entries in both directions so that both bijections are efficient. 
Evaluations of either bijection can then be performed with a binary search in 
0(log U + log n + log log q) time. 

We need another auxiliary map: 

Lemma 4. Let yd and Zd be as in the previous two lemmas. Then, y.d\nTd{Fq) = 
(xd|nGy^) X (xjjinGzrf). Furthermore, the isomorphisms are efficiently com- 
putable. 

Proof It suffices to show for any d \ n, Td{Fq) = Gy^ x Gz^, and that this isomor- 
phism is efficiently computable. Note that ydZd = gcd(^d(g), 2-^) gcd(<?d(g), 
U) = ^d{q) since gcd{U, = 1 by the definition of U. By the same observa- 
tion, gcd{yd,Zd) = 1. Lemma 1 establishes the claim. 

The following is immediate from the previous 3 lemmas: 

Lemma 5. Assuming the maps of lemma 3 are efficient, there exist efficiently 
computable bijections 7 and 7 “^, where 7 : F*n '>^d\nTd{Fq). 

We now have the bijection claimed at the beginning: 

Theorem 3. Assuming the maps of lemma 3 are efficient, there exist efficiently 
computable bijections 9 and 9~^, where 9 : T„(Fg) x ^(„/d)=-i 

fi(n/d) = l ^qd- 

Proof. Lemma 5 gives efficient bijections between T„(F|j) x n(n/d)=-iF*d^ 

andT„(F,) x (xd|„_ f,(n/d)=-i (xe|dFe(F,))), and also between Xd\n, ui'fT.j d) — \^qd 
and Xd\n, fj.(n/d)=i e\dTe{Fq)) . By permuting coordinates, the theorem will fol- 
low if we show the multiset equality 

{n} U |_J {e s.t. e I c?} = |_J {e s.t. e | d}. 

d|n, ^{n/ d) — — l d|n, ii{n/d) — l 
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From section 2, - 1) = ~ 1) in the polyno- 

mial ring Q[a;]. Decomposing this equation into irreducible polynomials, we have 

n^(„/d)=-i Held Mx) = n^(„/d)=i rie|d Mx), and since Q[x] is a unique 
factorization domain, the irreducible polynomials on the left must be the same 
as those on the right. This gives the desired multiset equality. 

4 Parameter Selection 

The two constraints on choosing q and r for fixed n are security and efficiency 
constraints, the latter measured by the size U{n,q) of the tables needed in our 
bijections. We first discuss the role of security in parameter selection: 

4.1 Security Measures 

Our schemes derive their security from the same assumptions of XTR and 
CEILIDH. That is, if there is a successful attack against one of our crypto- 
graphic primitives, then there is a successful attack against the corresponding 
primitive in the underlying group we use, which we assume is impossible. Let 
{g) C F*„ be a multiplicative group of order r with generator g. The security of 
our applications relies on the hardness of both the Computational Diffie-Hellman 
problem (CDH) and the Decisional Diffie-Hellman problem (DDH) in (g). The 
former is the problem of computing g^^ given g^ and g^ and the latter is that 
of distinguishing triples of the form (g“, g**, from (g“, g**, g‘^) for random a, &, 
and c. The hardness of both of these problems implies the hardness of the dis- 
crete logarithm problem (DL) in {g): find x given g^ . Due to the Pohlig-Hellman 
algorithm [21], the DL problem in {g) can be reduced to the DL problem in all 
prime order subgroups of {g), so we might as well assume that r is prime. 

There are two known approaches to solving the DL problem in {g) [1, 7, 9, 13, 
20, 27, 28], one which attacks the full multiplicative group of Fgn itself using the 
Discrete Logarithm variant of the Number Field Sieve, and one which concen- 
trates directly on the subgroup (g) using Pollard’s Birthday Paradox based rho 
method [22] . Let s be the smallest divisor of n for which (g) can be embedded in 
F*e. The heuristic expected running time of the first attack is L[g®, 1/3, 1.923], 
where L[n,v,u] = exp((u-|-o(l))(lnn)“(lnlnn)^“’’). If q is small, e.g. q = 2, then 
the constant 1.923 can be replaced with 1.53. The second attack, due to Pollard, 
takes 0(>/r) operations in (g). 

Hence we see that the difficulty of solving the DL problem in (g) depends 
on both the size of the minimal surrounding subfield and on the size of its 
prime order r. If Fgn is itself the minimal surrounding subfield, as is the case 
if we choose r \ with r > n, then for sufficiently large r the DL, CDH, 

and DDH problems in {g) are widely believed to be just as hard as solving 
their classical counterparts w.r.t. an element of prime order « r in the prime 
field of cardinality « g” [14]. As mentioned in [14], when nlog 2 <? « 1024 and 
log 2 r « 160, solving the DL problem in {g) is generally believed to be harder 
than factoring an 1024-bit RSA modulus provided q is not too small. 
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4.2 Practical Algorithm for n — 30 and n — 210 

Based on our security discussion, it is shown in [4] that, assuming an RSA key 
length between 1024 and 2048 bits gives adequate security, for n = 30 we should 
choose g to be a prime between 35 and 70 bits long, and for n = 210 we should 
choose g to be a prime between 5 and 10 bits long. Note that for the next value 
of n for which we achieve a communication savings, n = 2310 = 2 • 3 • 5 • 7 • 11, the 
field size will have to be at least 2310 bits, so any setting of q already exceeds 
the 2048 bits needed for adequate security. 

In [13] it is shown how to quickly find a q and an r meeting these requirements 
for fixed n. The algorithm is heuristic, and involves choosing random q of a 
certain size and checking if <Pn{q) contains a sufficiently large prime factor r 
by trial division with the primes up to roughly 10®. On a 166MHz processor, 
for n = 30 it was shown that it takes 12 seconds to find an r of size between 
214 and 251 bits for q of size 32 bits. Note that for n = 30 we actually need 
r to be slightly smaller, as claimed in the previous paragraph. This way we 
can achieve the largest efficiency gain for a fixed security guarantee. Using the 
algorithm of [13], fixing the size of r to be approximately 161 bits and searching 
for an appropriate q took three hours instead of the 12 seconds needed previously. 
However, there are three reasons we do not consider this to be problematic. First, 
CPU speeds are easily ten times as fast these days. Second, we don’t need to fix 
the size of r to be exactly 161 bits; we just need to find an r of approximately 
this size. And third, finding the system parameters is a one-time cost and can 
be done offline, or even by a trusted third party. 

From the efficiency analysis in the next section and lemma 6, one can show 
that the table size U{n,q) resulting from choosing q at random subject to the 
above constraints is likely to be small with good probability. Hence, this heuristic 
algorithm is likely to find a q and an r so that both security and efficiency 
constraints are met in a reasonable amount of time. 



4.3 Theoretical Algorithm for General n 
with Probabilistic Guarantees 

In this section we use properties of the density of primes to design a parame- 
ter selection algorithm and rigorously analyze its performance. Unfortunately, 
since the factorization of 'l’n{q) for random primes q does not seem to be well- 
understood, we are forced to choose q > r, which with respect to attacks known 
today, doesn’t allow for choosing the optimal q and r for n = 30 and n = 210 
if we just want 2048 bit RSA security. A straightforward calculation shows that 
for n = 30, the following algorithm gives us the largest efficiency gain for a fixed 
security guarantee if and only if q is at least 558 bits. Hence, we should view 
the algorithm as theoretical in nature, and apply the heuristic of the previous 
section for small n. 

Let fc be a positive integer tending to infinity and let n be the product of the 
first k primes. We want to choose q so that: 
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1. nlogq is sufficiently large. 

2. There exists a large prime factor r of 

3. U = U{n, q) is small. 

We say an integer is squarefree if it contains no repeated factors. The selection 
algorithm is as follows: 

Parameter Selection Algorithm PSA(n = pi ■ ■ ■ pk,Q, R)'. 

1. Let S be the subset of the first k primes p for which p — 1 is squarefree, and 
put T = {pi,...,pk\ \ S. 

2. Find an R-hit prime r for which r = 1 mod n, and find a, z G Z* of order n. 

3. Find a Q-bit prime q = z + kr > n, for some integer k, such that: 

(a) For all p G S, qP^p^i^ ^ 1 mod where Op((7) denotes the order of q 
in Z*. 

(b) For all p €T, Op{q) = p — 1. 

4. Find a generator g of the subgroup of order r of F*n. Output r,q, and g. 

We first claim that if the PSA algorithm terminates, then r and q meet the 
aforementioned properties. By setting Q large enough, the first property holds. 
We have ^n(<z) = ^n{z + kr) = ^„(z) -I- sr for some integer s, and since Or{z) = 
n, ^n{z) -I- sr = 0 mod r. Hence by choosing R sufficiently large, the second 
property holds. To show U = U{n, q) is small, we need the following lemma: 

Lemma 6. Let p he a prime and q an integer such that p )( q. Then p\U if and 
only if pOp{q) \ n. In case of the latter, p^ \ U if and only if p^ \ — 1). 

Proof. By minimality of C/, p | C/ if and only if there exist divisors d < e of n 
for which p | gcd(<?d(9), (<?))• Fix two such divisors d and e, let / = gcd(d, e), 

and suppose f < d. Since / < d, p | <Pd{q) \ {q'^ ~ ~ 1) = f + q^ + q^^ + 

■ ■■ + Since p | gcd(<?d((7), ^e(g)) | gcd(g‘^ — 1,9® — 1) = q^ — 1, we 

have 9^ = 1 mod p, so d// = 0 mod p, or p | d//. Similarly, p | e//. But then 
p I gcd(d//, e//), contradicting our choice of /. Hence, d = / which means d | e 
and p I e/d I n. 

Suppose there is another divisor c < d of n for which p | <!>c{q)- Then by the 
above, c | d and p | (d/c), and since p | (e/d), p^ | e | n, contradicting the fact 
that n is squarefree. This means that (d, e) is the unique pair of divisors for which 
p I gcd(^d(9).^e(9))- Since p | 9” - 1, Op{q) \ n, and since gcd(Op(9),p) = 1, 
pOp{q) I n. Put d = Op{q) and e = pOp{q). Then d is the smallest positive 
integer for which 9^^ = 1, so p | T>d{q). Also, 'Pe{q) = (9® — l)/(d‘^ ~ 1) = 

l + h = e/d mod p = 0 mod p. Hence if p | gcd(^d(9), ^e(9)), 

then d = 0^(9) and e = pOp{q). Conversely, if pOp{q) \ n, then p | C/ for these 
d, e. 

We have shown p \ U if and only if pOp{q) \ n. The above shows that 
if p* I U, then p* | (^Op(g)(d) ' '^pOj,(q){q)) I - 1), and conversely if 

p^ I (gPOp(,) _ 1) I pi I gcd(d>d(9),d>e(9)) I U. 
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Remark 1. Note that \ — 1), since on the one hand we have p \ 

(^qOp(q) _ Qjj 2he other hand we have (g" — 1) — 1) = 1 + + 

q'^Op(q) q(p-i)Op(q) — 2 + 1 + .. . + 1 = 0 mod p. Hence if p | C/, then 

IqpOp(q) _ 2 ) I - 1), so it follows that p^ \ U. 

The following lemma provides tight asymptotic bounds on U = U (ji, q) : 

Lemma 7. If the PSA algorithm terminates, U = 0{n^^), where C « .374 is 
Artin’s eonstant. 



Proof. By the previous lemma, if p \ U, then p | n, so p € {pi, . . . ,Pk}- Now if 
p € T, p — 1 is not squarefree, so Op{q) / n by step 3b, so p / 17. On the other 
hand, if p G S', p — 1 is a product of distinct primes in {pi, . . . ,pk}, so Op{q) \ n 
and hence p | U . Combining this with the remark above, step 3a of the PSA 
algorithm, and the previous lemma, we conclude that U is exactly the square of 
the product of primes in S and that the PSA algorithm chooses q so that U is 
minimal. 

To obtain the bound on U it suffices to show that the density of primes p 
for which p — 1 is squarefree is C, where C is Artin’s constant [8] . The bound 
will then hold for large enough k. For a prime p, p — 1 is not squarefree if and 
only if p = 1 mod q^ for a prime q. By the inclusion-exclusion principle, the 
multiplicativity of </'(•), and theorem 2, the density of primes p for which p — 1 
is squarefree is: 



1- E 

primes p 



1 

(j>{p‘^) 



E 

primes p,q 



1 

(/)(p2g2) 



n (’ 

primes p ^ 




= c. 



By theorem 1, for sufficiently large k, pk ~ klogk and k « lo'g i^g k ’ "'^here the 
approximation is up to low order terms. Hence, U < p^^ « (fclog/c)^'^^ « 
(logn)^*^'°* 1°*" « 



Finally, we show the PSA algorithm terminates quickly in expectation: 

Efficiency Analysis: By theorem 1, fc « lo'gfogn Pk ~ logn. Determining 
S and T in step 1 can therefore be done by trial division in 0(log^ n) time. We 
can perform step 2 by choosing a random i?-bit number r, efficiently checking 
if r is prime, and checking if r = 1 mod n. This requires an expected 4>(n)R = 

O ^ log^og n ) samples r. To find z, we choose a random a G Zf, set /? = 

and check that ^ 1 mod r for all proper divisors d of n. In expectation, 
after 0(logi?) trials one such a will be a generator of Zf, for which setting 
z = P = gives z with Or{z) = n. Conversely, if for all proper divisors d of 
n we have P'^ 1 mod r, then Op (/?) = n. Since the number of proper divisors 

of n is 0(n'’) for any e > 0 ([11], section 18.1), the check in step 2 is efficient. 

For step 3, for each p G T, we can find an element Op G Z* with Op(op) = p— 1 
by simply trying each of the p — 1 = O(logn) elements of Z* until we succeed. 
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We then choose a random integer k for which q = z + kr is a, Q-bit number and 
efficiently check if q is prime. If so, then for each p G S', we can compute Op{q) in 
O(logn) time, then check if qP^piii ^ 1 mod by repeated squaring. For each 
p G T we check if g = Op mod p. 

The claim is that the number of random samples k needed in step 3 is only 
0{Qn^~^). Using the fact that the density of primes amongst integers of the 

form z -|- fcr is O > ^tn integer k for which z -|- fcr is prime can be found 

with 0{Q) samples in expectation. By independence, the density of primes q 
which are Cp mod p for every p G T is OpeT ~ ^ g” ^ i where C is 
Artin’s constant. Fix any p G S. By theorem 2, for all but a negligible fraction 
of primes q, q = mod p^ for g a generator of Z*s . Since g is a generator, 

qpOpiq) _ 2^ mod p^ if and only if z is a multiple of i and there are only 

pOp{q) < p(p— 1) such multiples. By theorem 2, it is equally likely that q = g^ for 
any i G [0(p^)], so the density of primes q for which qP^pii') 1 mod p^ is at least 
1 — 1/p. By independence, the density of q for which qP^pii') ^ 1 mod p^ for all 

p G S' is at least ripes(l “ ^/p) = Opes = ^ ( logiogn ) ■ Applying independence 
one last time, we conclude that q can be found with an expected 0{Qn^~^) 
samples k. 

Finally, step 4 can be implemented by choosing a random g G F*n and making 
sure that (g” — l)/r yf 1. The number of generators of F*p is (j>{q"' — 1) which is 

17 ^ log ra+iog Q ) ’ expected number of samples g needed is 0(logn-|-log(5). 

5 Cryptographic Applications 

Let n be the product of the first k primes, and let r, g, and g be public param- 
eters generated as in section 4. Define cr~{n) = Yl,d\n fi(n/d)^-i ^ cr+(n) = 
Sd|n fj.{n/d)=i^’ observe that 4>{n) + = cr“''(n). From section 3, 

we have an efficiently computable bijection 9 and its inverse 9~^, with 9 : 

Fn{,Fq) X fj,(n/d) — — l ^ ^ ^d\n, fi{n/d) — l ^qd • 

From the proof of theorem 3, we see that there are a number of choices 
for 9 depending on which coordinate permutation is chosen. While this choice 
does not affect the communication of our protocols or the size of our encryp- 
tions/signatures, it can affect the computational costs. In section 6 we choose a 
specific permutation and analyze the computational requirements for n = 30. 
We will think of 9 and 9~^ as efficiently computatble maps between Tn{Fq) x 

Fq and Fq by fixing polynomial representations of Fqd with d \ n. An ele- 
ment of Fq is then just a list of cr~{n) g-ary coefficients with respect to these 
polynomials, and can be treated as an element of x^;|„_ ^(n/d)=-i Fqd - Let id, id + 

1, . . . ,id + d— 1 denote the coordinates of an element x G Fq corresponding 
to the coefficients of x with respect to the irreducible polynomial for Fqd . Our 
map may not be well-defined because we may have {xi^,Xi^+i , . . . , Xi^+d-i) = 0. 
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However, if y € Fq is chosen randomly, the probability that some coordinate 
of y is zero is less than a~(ji)/q = 0{rf /q) for any e > 0, which is negligible. 

The same is true of a randomly chosen element of Fq . Hence, if we apply 9 

and 0“^ to random (xi, X 2 ) G T„(Fg) x Fq a,nd y G Fq 9{xi,X2) sad 

6~^{y) are well-defined with overwhelming probability. 

It is possible to modify 9 and 9~^ if one wants more than a probabilistic 
guarantee. Define d~{n) = Y.d\n, ^(«/d)=-i 1 and d+{n) = ^(„/d)=i 1- We 

can efficiently extend 9 to the well-defined map 9, 

9-.T^{Fq) X ^ X {0, !}<'■("), 

where for each (x,y) G T„{Fq) x Fq and for each d \ n with fJ.{n/d) = — 1, 
if (y*^, . . . ,y_j^+d-i) = 0, we replace yi^+d-i with 1, obtaining a new string y', 
and define 9{x,y) = 9{x,y') o b, where for all j G [d~{n)], bj = 1 if and only 
if {yi^, . . . ,yi^+d-i) = 0 for the jth divisor d. Note that 9“^, the inverse of 9 
restricted to the image of 9, is also well-defined. Similarly, letting (3 denote 0“^, 
we can extend (3 to & well-defined map (3 : Fq ^ Tn{Fq) x Fq x 
{0, and construct (3^. 

The next sections describe our cryptographic applications. For simplicity, 
in our security analyses we assume 9 and 9~^ are actually bijections between 
Tn{Fq) X Fq and Fq although it should be understood that our pro- 
tocols can be slightly modified so that 9 or /3 can be used without affecting 
the security. The only application where this is not immediately obvious is the 
non-hybrid ElGamal encryption, but step 3 of that protocol can be modified to 
additionally encrypt the “extra bits” from [3 using, say, the same key used in 
step 3. 



5.1 DifRe-Hellman Key Agreement 

For Alice and Bob to agree on a sequence of m secret keys Ki, they engage in 
the following protocol: 

1. Alice and Bob choose random Sq and Tq in y.d\n, fi(n/d)=-i F*^, respectively, 

and treat them as elements of Fq . 

2. For z = 1 to m, 

(a) Alice selects a random integer Xi with 1 < < r, sets Ai = , com- 
putes 9{Ai,Si-i) = (ai,Si) G X Fq and transmits oz to Bob. 

(b) Bob selects a random integer yi with 1 < yz < r, sets Bi = g^' , computes 

9{Bi,Ti-i) = (bi,Ti) G Fq^'^'^ X Fq and transmits bi to Alice. 

3. Alice sends Sm to Bob and Bob sends Tm to Alice. 

4. For z = m to 1, 

(a) Alice computes 9~^{hi,Ti) = (Hz,rz_i), and sets Ki = B^' = g^'^\ 

(b) Bob computes 9~^{ai,Si) = (Az,5z_i), and sets Ki = A^d = g^'^K 
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The number of bits sent from Alice to Bob (and from Bob to Alice) is about 
{m(j>{n) + a~ (n)) log q, so the rate approaches the optimal (j){n) log q bits per key 
as m gets large. This beats all known schemes for n > 30. In particular, for 
n = 30, our scheme requires only Slogg bits per shared key while generalizing 
the scheme in section 4.11 of [14] to n = 30 gives a scheme requiring 10 log g bits 
per key exchange. The scheme in [24] would also achieve our rate, but needs an 
unproven conjecture concerning the rationality of T^Q^Fq). 

Observe that {A\, So) and (i?i, Tq) are random, and since 0 is a bijection, the 
last cf~{n) coordinates of 0{Ai, Sq) are of a random element in x^|„_ fj.(n/d)=iF*d ■ 
Hence the probability that some coordinate of is zero is even less than that for 
a random element in Fq which is negligible. One can then verify that every 
application of 9 or 9~^ is on a random element. It follows from the foregoing 
discussion and the union bound that the probability of either Alice or Bob ever 
attempting to apply 9 or 9~^ on an element outside of the domain is negligible. 
For deterministic guarantees, one can replace 9 and 9~^ with 9 and 9^ , negligibly 
changing the rate to 4>(n) log q + 0(n'^) for any e > 0. Given the overwhelming 
probability guarantees for 9 and 9~^, this does not seem necessary. 

Security: An eavesdropper obtains a\, . . . . . . ,bm, Sm, and Tm- Since 

9 and 9~^ are efficient bijections, this is equivalent to obtaining A\, . . . , Am, 
Bi, , Bm, So, and Tq. Since Sq and Tq are random, determining a shared secret 
Ki is equivalent to solving the CDH problem in (g), given Ai,. . . , Am, Bi, ... , 
Bm- 

5.2 ElGamal Signature Schemes 

Suppose the message M to be signed is at least cr~{n) logg — logr bits long. If 
this is not the case, one can wait until there are m > 1 messages Mi to be signed 
for which |Mi| > a~{n) logq — logr, then define M to be the concatenation 
Ml o • • • o Mm and sign M . For a random a, 1 < a < r — 1, let a be Alice’s 
private key and A = her public key. Let /i:{0,l}*^Zrbea cryptographic 
hash function. We have the following generalized ElGamal signature scheme (see 
p.458 of [18] for background): 

Signature Generation (M): 

1. Alice selects a random secret integer k, 1 < k < r, and computes d = g^. 

2. Alice then computes e = k~^{h{M) — ah{d)) mod r. 

3. Alice expresses M o e as (R,S) € Fq x {0, 1}*, computes 9{d,R) = T, 
and outputs {S,T) as her signature. 

Signature Verification {M,S,T)\ 

1. Bob computes 9~^{T) = {d, R) and constructs M and e from R and S. 

2. Bob accepts the signature if and only if A'^A'^d^ = gA^)^ 

The communication of this scheme is at the optimal |M| -|- log r + 4>{n) log q for 
ElGamal signature schemes, even for one message (as long as M is large enough). 
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This beats the \M\ + logr + (n/3) logg communication of the scheme in [4, 17] 
when n > 30, in particular for the practical values n = 30 and n = 210. Our 
communication is the same as that in [24], but we do not rely on any conjectures. 

Note that our map 6 may fail since M need not be random. One can avoid 
this by excluding the negligibly few M for which 9 is not defined (as in RSA 
or the schemes of [24]), or one can replace 9 with 0, as defined above, and 
communicate an additional 0(n'^) bits of overhead. Alternatively Alice can use 
a pseudorandom generator to randomize M and communicate the small seed 
used to Bob, requiring even less communication than the already asymptotically 
negligible 0(n*^) bits. 

We note that a simple modification of our protocol, making it similar in 
spirit to our key exchange protocol, can allow Alice to sign each Mi individually, 
allowing for incremental verification. 

Security: In this scheme the verifier obtains (S,T), which is equivalent to ob- 
taining M, d, and e. Thus, the security of this scheme reduces to the security of 
the generalized ElGamal signature scheme in {g). 

5.3 ElGamal Encryption 

We present two flavors of ElGamal encryption. The first is a hybrid scheme with 
shorter encryptions than the one in [14], while the second is essentially a non- 
hybrid analogue of ElGamal in T„(Ejj). In the second, to encrypt a sequence of 
m messages, m-l- 1 encryptions are created and m of them are performed directly 
in Tn{Fq). The first scheme achieves optimal communication, while the second 
is asymptotically optimal. 

Hybrid ElGamal. For random b, 1 < 6 < r — 1, let 6 be Bob’s private key and 
B = his public key. Suppose Alice wants to encrypt the message M G Fq 
with Bob’s public key. Let E be an agreed upon symmetric encryption scheme 
with domain Fq We have the following protocol: 

Encryption (M): 

1. Alice selects a random secret integer k, 1 < k < r, and computes d = g^ . 

2. From B Alice computes e = S*’ = g^^. 

3. From e Alice derives a key Q for E and computes the encryption of M, 
E{M), under key Q. Alice writes E{M) as {R, S) G Eg x {0, 1}*. 

4. Alice computes 9{d,R) =T and outputs her encryption (S', T). 

Decryption (S, T): 

1. Bob computes 9~^{T) = (d,R). 

2. From d and b Bob computes e = 

3. From e Bob derives Q and decrypts E{M) = (R,S) to obtain and output 
M. 

The communication of this scheme is at the optimal |if(M)| -|- ({){n)\ogq bits 
for hybrid ElGamal encryption. As in our protocol for signature schemes, we 
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achieve this rate even for a single message. This beats the \E{M) \ + (n/3) logg 
bit scheme in [14] for n > 30. 

It is unlikely that 9 or 9~^ is applied to an element with any zero coordinates 
since d is random and E{M) is likely to “look random” in practice, so 9{d, R) is 
likely to be a random element of Fq for which it is extremely unlikely that 
any coordinates are zero. An exact analysis, though, depends on one’s choice 
of E. As in our protocol for signature schemes, one can randomize E{M) to 
decrease the error probability or replace 9 with 9 for a deterministic guarantee 
at the cost of a few bits of communication. 

Security: An adversary learns (S', T), which is equivalent to learning d and 
E{M). Assuming the CDH problem is hard in {g), the security of this scheme 
is just that of the symmetric scheme E, assuming the key Q to if is chosen 
reasonably from e. To derive Q from e, one can extract bits that are hard to 
compute by an eavesdropper, see [2]. 

Almost Non- hybrid ElGamal. In the following, Alice will encrypt a sequence 
of m messages Mi , . . . , Mm, each in She will form m + 1 encryptions, m 

of which are encryptions in Tn{Fq), and one requiring the use of an agreed upon 
symmetric encryption scheme E. 

In the encryption phase of our scheme we will apply 9~^ to {MioR) for some 
R G Fq For semantic security, for all i it must hold that 9~^{Mi o i?) G 

(g) X Fq which in general may be strictly contained in Tn{Fq) x Fq 
For this we adopt the technique in section 3.7 of [25]. Namely, by reserving a 
few bits of each Mi to be “redundancy bits” , if {g) has small enough index in 
Tn{q), then for any R we need only try a few random settings of these bits until 

9~^{MioR) G (g) X Fq = (c, d) G {g) x Fq which we can test by checking 
if c” = 1. In the following protocol description we ignore this issue and assume 
whenever 9~^ is applied, its image is in (g) x Fq 

For random 61,62, 1 < 61,62 < r — 1, let 61,62 be Bob’s private keys and 
Bi = B 2 = g^^ be his public keys. We have the following scheme: 

Encryption (M): 

1. Alice chooses a random i?o G Fq 

2. For i = 1 to m, 

(a) Alice computes 9~^{Mi o i?i_i) = {a, Ri) G {g) x Fq 

(b) Alice chooses a random secret integer R,! < R < r, and forms the 
encryption {di,e^) = {g'^' , CiB\^) . 

3. Alice uses the hybrid ElGamal encryption scheme with symmetric cipher 

E and public key B 2 to encrypt Rm as (T^, S) with Tm G Fq and 

S' G {0,1}*. 

4. For z = m to 1, 

(a) Alice computes 9{di,Ti) = {xi,Wi) G x Fq 

(b) Alice computes 9{ei,Wt) = (?/j,Ti_i) G x Fq 

5. Alice outputs Xi,. . . , Xm, yi, - ■ ■ , Vm, To, S as her encryption of Mi , . . . , Mm- 
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Decryption (xi, . . . ■ ■ ■ ,ym,To, S): 

1. For z = 1 to m, 

(a) Bob computes 0~^{yi oTi_i) = (cj, Wi). 

(b) Bob computes 9~^lxi o Wi) = (di,Ti). 

(c) Bob computes Cj = eil . 

2. Bob uses Tm and S, together with 62 , in the decryption procedure of the 
hybrid ElGamal scheme to recover Rm- 

3. For z = m to 1, Bob computes 9{ci, Ri) = Mj o 

4. Bob outputs Ml, . . . , Mm- 

The communication of this scheme is 2m(j){n) logg + \E{Rm) \ + 4>{n) logg bits. 
Hence, as m grows, the rate of this scheme approaches 2^(zz)logg, which is 
optimal for ElGamal type encryption. 

Note that the Mi’s need not be random, and consequently 6 *“^(Mj, 
may not be well-defined. Ghoosing random Rq will increase the chances that 
9~^{Mi, Ri-i) is always defined. Alternatively, one can use the ideas of section 
5.2 to randomize Mi, or one can use (3 instead of 9~^ . Again, since E{Rm) = 
(S,Tm) needn’t be random even if E is semantically secure, one may want to 
use 9 in place of 9. This adds a negligible amount to the communication, and as 
stated earlier, encrypting the extra bits of j3 can be done in step 3. 

Security: An adversary learns xi, ■ . ■ , Xm, J/ij • ■ • , J/m, To, S, which is equivalent 
to learning E'{Rm), di, • ■ • , dm, ci, . . . , Cm, where E' is the semantically secure 
hybrid encryption scheme. Assuming DDH is hard in (g), (di, Ci) is a semantically 
secure encryption E''{ci) of Ci for all z. The security of the scheme then follows 
from the fact that the keypairs {bi,Bx) and ( 62 ,^ 2 ) of E',E” are independent. 

6 Computational Complexity 

In this section we present efficient algorithms for computing 9 and 9~^, analyze 
their complexity, and suggest an alternative way of improving computational 
costs with slightly more communication. Each of these is described in turn. 



6.1 Algorithm 

Before describing 9 and 9~^, we need some notation: 

— For d I n, let Ud be the smallest integer for which gcd(^e(g), ^/(g), = 1 

for all e yf / with e | d and / | d. 

— For e I d I zz, we define yd,e = gcd(^e(g), and Zd,e = gcd(^e(g), Gd). 

Generalizing section 3, we can find Wd and Wd,e s.t. Wd+'^e\d \ ~"^ Wd,e = 
1. Further, we can find Ud e and Vd e for which ^^^Ud e + e = 1- 

’ ’ yd,e ’ ^d,e ’ 

— Let Pe{d) : {d : e I d I n,y,{n/d) = —1} ^ {d : e | d | n,y{n/d) = -1-1} for 
e I n, e yf n, be a bijective mapping and define Pn{n) = n. 
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A naive implementation of 6 consists of the following steps: 

1. We first use an isomorphism 

Tn{Fq) X y.^(n/d) = -lFqd > Tn{Fq) X y. ^(n/ d) = -lGUd X 

2. By using a table lookup we map ^ ^(n/d)=-iGuj, — > ^ii(n/d)=-i 'Xe\d 

and we use an isomorphism x^(„/d)^_iG(,d_i)/t/_j — > ~x fi(n/d)=-i'Xe\dGy^_^. 
By the structure theorem of Abelian groups there is an isomorphism Gz^ ^ x 
Gyd,e — Fe{Fq) for each d\n with ii(ji/d) = —1 and e | d. 

3. By using a permutation we obtain a mapping 

Fn{Fq) X fj,(^n/d) — — l e\d Fei^Fq) ^ fj,{n/ d)—+l X e|rf Te ) . 

4. By the structure theorem of Abelian groups there is, for each d\n with 

IJ.{n/d) = -1-1 and e | d, an isomorphism Te{Fq) — > ^ x Gy^ ^. By using a 

table lookup we map x y_(^zi/d)=+i ^e\dGzj,^, — > ^ ^l(n/d)=+lGud and we use 
an isomorphism Xy_(n/d)=+i Xe|dGy^ ^ — > ^ y(n/d)=+iG(^qd_i)/ij^. 

5. In the last step we use an isomorphism 



'y^li(n/d)=+lGUd X G(^qd_iyu^ > X^(n/d)=+lFqd. 



Each of the isomorphisms are defined by taking simultaneous exponentiations. 
An improved implementation combines different isomorphisms in a single simul- 
taneous exponentiation. Each table lookup followed by an exponentiation can 
be implemented as a single table lookup. This reduces the number of exponen- 
tiations and multiplications. 

Computation of for {xd)d\n,y.{n/d)=—l C X 

and X e Tn{Fq): 



1. For d I n, fd{n/d) = —1, 

(a) Compute g Gu^ and map it to {Zd,e)e\d G XejdG^^ ^ by using 

a table look up. 

(b) Compute G ><eMG.,.(d).e- 

2. Compute = x^"G)/^n,n g 

3. For d I n, ^{n/d) = -1-1, 

(a) Map {Zdx)p,{d')=d,e\d G Xe|dG^^ ^ to Zd G Gu^ by using a table look up. 

(b) Compute 



which is in Gr/, • Gt„d 



Ud • '~’{q<^-l)/Ud 



= F*d. 



4. Multiply Xn with 

5. {Xd}d\n,fi{n/d) — — l) {^d)d\n,fi{n/d)—-\-l- 



The ideas in section 3 can be used to show the algorithm above is well-defined. 
The improved computation of 9~^ is similar, where we make sure to use the 
inverse of the coordinate permutation used in 9. 
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6.2 Complexity 

For background on efficient computations in fields and subgroups, see [6, 12, 29]. 
Consider the algorithm for 6. In step 1, for d \ n, fx(n/d) = —1, we perform 1 + 
J2e\d 1 exponentiations in F^d . Notice that, in step lb we do not need to compute 
since it can be combined with the table lookup in step la (there is an entry 
in the table corresponding to for every v). Step 2 costs 1 exponentiation in 

For d I n, ^{n/d) = —1 or d = n, we precompute , Q < i < dlogq. This 
costs d log q multiplications in F^d . By using the results of the precomputation, an 
exponentiation a;^, for some t, in F^d costs on average {dlogq)/2 multiplications 
in Fqd (the bit length of the exponent t is (dlogg) and roughly half the time a 
bit is equal to 1). Each multiplication in F^d costs f{d) < d^ multiplications in 
Fq. Summarizing, steps 1 and 2 cost about 



Cl = 



^f{n)n 



(3 + ^l)/(d)d 



d\n,fi{n/d) — — l 



logg 

2 



multiplications in Fq. 

In step 3, for d \ n, ^{n/d) = +1, we need to perform, for each e | d with 
Pe(d') = d, one exponentiation in F^d> ■ We do not need to compute which 

can be combined with the table lookup in step la. 

The cost of step 3, measured in multiplications in the base field Fq, is on 
average approximately Ed|„,i.(„/d)=+i Ee|d /(PrHt^))prHc?)(log g)/2. Since pe 
defines a permutation, this expression is equal to 



C2=l/(n)n+ C^l)f{d)d 

\ d\n,fi{n/d) — —l e\d 

The total cost is Ci + C 2 multiplications in Fq, where we neglect the cost of table 
lookups, addition, and multiplication modulo an integer. Since ^ = O(d^), 

we have Ed|„,,x(n/d)=-i(3 + 2 Ee|d ^)f(d)d = d^+^) = 0{{i2d\n df^") = 

since the sum of divisors of n is for any e > 0. This proves 

C\+C2 = 0{n^+nogq). 

The same techniques show 9~^ requires 0(n^“'''^ log g) multiplications in Fq. 




6.3 Efficiency Improvements 

To improve the efficiency we may use exponentiation algorithms for fixed expo- 
nents using vector addition chains. Also, we may group several exponentiations 
of Xd together into one exponentiation by appropriately choosing the bijections 
Pe- n is not too large, we may use simultaneous exponentiation to speed up 
the computations. Full simultaneous exponentiations in every step requires a 
precomputation of 2” multiplications. We may optimize by using simultaneous 




Asymptotically Optimal Communication for Torus-Based Cryptography 175 



exponentiation to compute intermediate results which we multiply together to 
compute the full exponentiation. Finally, we may combine the exponentiations 
required in our applications with the evaluation of 6. 

Notice that 9 is much more efficient if, for d | n with fj,(ji/d) = —1, Xd € 
G(^qd_iyu^. Then, for e | d | n with ^{n/d) = —1, Zd^e = 1 and Zd = 1. Table 
lookups can be avoided. Therefore each Xd, for d | n with y{n/d) = -1-1, can 
be computed by a single simultaneous exponentiation of x,Xd G G(gd_i)/y^,d | 
n,y,{n/d) = —1, with fixed exponents in step 3. To make use of this, we define 




the table entries of {x^^ ^^^^‘*)d|n,/i(n/d)=-i- This increases the communication 

cost by 

XI Ud 

d\n^^{n / d) — —l 

bits which in practice is much less than log 2 q. So at the cost of a small increase 
in communication we improve the computational efficiency. 

Computation T{x,{xd)d\n,^l(n/d)=-l) and 

1. For d I n, ^i{n/d) = -1, compute = x^^ 

2. Compute 



Xd = 



n 



KXd' 



^eig)wd,e/yd,e 



G(qd-1)/Ud ^ 



pg (^d')—d,e\d,e^n 



^OI d \ n with fx{n/d) = +1. Multiply Xn with 

3. t ( x , {Xd)d\n,fi{n/d) — — l) ~ {{^d)d\n,fi{n/d)=-\-li l)- 

4. Compute ^y-D«n.n/G„ + (g"-l)«„.„/s/„,n ^ 

5. Compute 



\d=p^,(d'),e'\d' 

for d' I n with y{n/d') = —1, where + Ud'bd' = 1. 

6. T {{xd)d\n,fi(n/d)—+li(^X^)d\n,fi(n/d) — — l) i^Xj (^Xd)d\n,fi(n/d) — —l)- 

For n = 30, {d | n : id{n/d) = —1} = {15,10,6,1} and |d | n : ii{n/d) = 
-klj = {30,5,3,2}. We define pi(15) = 5,p3(15) = 30,p5(15) = 5,pi5(15) = 
30,pi(10) = 2 ,p2(10) = 2,p 5(10) = 30,pio(10) = 30,pi(6) = 3,p2(6) = 30, 
P3(6) = 3,P6(6) = 30,pi(l) = 30,P3 o = 30. We use /(30) = 234, /(15) = 78, 
/(lO) = 45, /(6) = 18, /(5) = 15, /(3) = 6, and /(2) = 3 [31]. In step 1, we 
compute x'li^, x[q, x'q, and x'l using single exponentiations by using the square 
and multiply method [18, p. 614]. This costs in total 3(78 • 15 -I- 45 • 10 -I- 18 • 6 -I- 
l)(logg)/2 = 2593.5 logg multiplications in Fq. 



l°-d' Udib^ 

d’ Xd. 



= Xd' 
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In step 2, X 30 is computed as a simultaneous exponentiation [18, p. 618]in 
X € F,j 3 o,a;i 5 G -Fgi 5 ,xio G FgW,XQ G Fg 6 ,xi G Fg. In a precomputation we 
compute for each of the 2® possible sets S C {x, X 15 , xio, xg, xij the product 
whole precomputation costs at most 2® multiplications in Fg 3 o. In 
the computation of X 30 the exponents of x, xig, xio, etc., have bit lengths 30 log g, 
15 log ( 7 , 10 log ( 7 , etc. This means that in the second half of the simultaneous 
exponentiation (the last 30 log < 7 — ISlogg bits of the exponents) we only need to 
square or square-and-multiply with x G Fg 3 o . So the average costs in the second 
half of the simultaneous multiplication is equal to 3(15 log < 7)/2 multiplications 
in Fg 30 . The simultaneous exponentiation corresponding to the bits ranging from 
position 10 log <7 to 15 log g involves square or square and multiply with x, xig, 
or X ■ X 15 . This costs on average 7(51ogg)/4 multiplications (5 is the difference 
between 15 and 10, on average we need 1 multiplication in 1 out of 4 cases 
and 2 multiplications in 3 out of 4 cases). Notice that we treat squaring as a 
single multiplication in this excersise. Continuing this argument we need in total 
234(2^ + 15(3/2) + 5(7/4) + 4(15/8) + 5(31/16) + l(63/32))(logg) = 19283.1 logg 
multiplications in Fg ( 2 ® comes from preprocessing). 

The outputs Xg, X 3 and X 2 are single multiplications in xig, xg, and xio, 
respectively costing a total of 3(78- 15+ 18-6 + 45- 10 )(log( 7)/2 = 25921og<7 mul- 
tiplications. Concluding, the computation of r costs approximately 24468.6 log g 
multiplications in Fg. A single exponentiation in Fg 3 o costs 234 • 30 (log ( 7 ) 3/2 = 
10530 log <7 multiplications. Hence, t costs about 2.32 exponentiations in Fg3o. 

In the implementation of we compute a: as a single exponentiation in X 30 , 
costing 234- 30(log(7)3/2 = 10530 log (7 multiplications. In step 5, xig is a simul- 
taneous exponentiation in X 30 and xg (and a table look up for the exponentiation 
in x'lg). This costs 78(2^ + 25(3/2) + 5 ( 7 / 4 ))(log( 7 ) = 3919.5 logg multiplications. 
Similarly, a;io costs 45(2^ + 28(3/2) + 2(7/4)) (log ( 7 ) = 2227.5 log g and xg costs 
18(2^ + 27(3/2) + 3(7/4)) (log g) = 895.5 log g multiplications. We compute xi as 
a single exponentiation in X 30 , costing 234 • 30(logg)3/2 = 10530 logg multipli- 
cations. Concluding, the computation of costs approximately 28102.5 logg 
multiplications, which is equivalent to 2.67 exponentiations in Fg3o. 



7 Conclusions and Open Problems 

Our fundamental contribution is a compact and efficient representation of ele- 
ments of F„(Fg), namely, the construction of bijections 9 and 6*“^ of section 3. 
This allows us to construct ElGamal signature and encryption schemes meeting 
the optimal rate of communication, as well as a secret key exchange protocol 
meeting this rate asymptotically. If the torus conjecture of [24] is proven, the 
schemes in that paper will also achieve this rate, and moreover, their scheme for 
DH key exchange will meet the optimal rate even for a single key exchanged. 
Hence, resolving their conjecture is an important problem. Another important 
question is whether the computational cost of our schemes can be reduced to 
a more practical level. Finally, our representation of F„(Fg) may have other 
applications. 
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Abstract. Ordinarily, RSA and Rabin ciphertexts and signatures are 
log A bits, where A is a composite modulus; here, we describe how to 
“compress” Rabin ciphertexts and signatures (among other things) down 
to about (2/3) log A bits, while maintaining a tight provable reduction 
from factoring in the random oracle model. The computational overhead 
of our compression algorithms is small. We also improve upon Coron’s re- 
sults regarding partial-domain-hash signature schemes, reducing by over 
300 bits the hash output size necessary to prove adequate security. 



1 Introduction 

The hardness of factoring is one of the most fundamental and frequently used 
assumptions of public-key cryptography; yet cryptosystems that rely on the fac- 
toring assumption have relatively poor performance in terms of bandwidth. For 
example, RSA and Rabin ciphertexts and signatures are typically at least as 
many bits as the composite modulus N, while recent advances in hardware-based 
approaches to factoring (e.g., [32]) suggest that N must be more than 1024 bits 
for strong security. So, factoring-based cryptosystems often do not compare fa- 
vorably with cryptosystems based on alternative hard problems - e.g., ECC for 
encryption or DSA for signatures. 

Bandwidth consumption is important, in part because fundamental limita- 
tions of wireless technology put bandwidth at a premium. For example, Barr 
and K. Asanovic [2] note that wireless transmission of a single bit can cost more 
than 1000 times as much energy as a 32-bit computation. Since battery efficiency 
is growing relatively slowly, energy consumption (particularly through wireless 
transmission) may become a significant bottleneck. 

Moreover, signal interference places physical limits on how much data can 
be transmitted wirelessly in a given region. This was not a problem in wired 
networks. These limitations are compounded by the lossiness of wireless channels, 
which necessitates additional bandwidth in the form of forward error correction 
(FEC). FEC is particularly important for cryptographic transmissions, where 
partial recovery of a ciphertext or digital signature is typically useless. 

These considerations make compression algorithms very attractive. In fact, in 
recent years, substantial progress has been made in constructing “compressed” 
cryptosystems. For example, XTR [22] and CEILIDH [30] both use “compact 
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representations” of certain elements to achieve a bandwidth savings. There are 
also a variety of hybrid cryptosystems, such as signcryption and aggregate sig- 
nature schemes, in which multiple cryptographic functionalities are somehow 
represented by a single, relatively short string. However, although such hybrid 
cryptosystems exist for RSA and Rabin, none of them breaks the “(logA^)-bit 
barrier.” 

Our Design Goals. In light of these considerations, we would like to construct 
a compression algorithm that is broadly applicable to factoring-based schemes, 
such as RSA and Rabin. Ideally, the compression algorithm should allow RSA 
and Rabin ciphertexts and signatures to be substantially less than logA^ bits 
without sacrificing any security - i.e., while still using (and retaining the secu- 
rity of) a (log A^)-bit modulus. Moreover, the compression algorithm should add 
minimal computational overhead. If the compression algorithm requires addi- 
tional computation, this computation should not require use of the secret key, 
so that it can be performed (more quickly) outside of a “secure environment,” 
such as a smart card. 

Our Results. We essentially achieve our design goals, except that our tech- 
niques work only for Rabin- type cryptosystems, not for RSA. Along the way, we 
also substantially improve upon Coron’s results on partial-domain-hash Rabin 
signature schemes (Rabin-PDH). 

Coron [16] proved the security of a variant of the Rabin signing scheme 
(Rabin-PDH) in which the hash function that is used to hash the message out- 
puts strings of length (| -b e) log N bits. It turns out that this e has a large effect 
in practice; if the simulator in the security proof wishes to generate a distribution 
of signatures whose statistical distance from uniform is less than Coron’s 
method requires that the hash output length be at least at | log A^ -1-364 bits. We 
provide a perfectly uniform drawing algorithm that reduces the necessary hash 
output length to only | log N + 3 bits; moreover, our security proof is tighter. 

Our main result, however, is a compression algorithm that allows a 33% 
reduction in the bit-length of Rabin signatures and ciphertexts, without any 
sacrifice in security. (Notice that Coron’s result is not a compression algorithm; 
although the hash output length of Coron’s Rabin-PDH scheme may be less 
than log N bits, the Rabin-PDH signature itself, which is essentially a modular 
square root of the hash output, is a (logN)-bit value.) For our improved version 
of Rabin-PDH signatures, the “entropy” of the hash output is just over | log N 
bits; thus, it is theoretically possible that the signature could also be expressed in 
about I log IV bits. In fact, up to the loss of a few bits, this is precisely what we 
achieve: a (| log TV + 6)-bit Rabin-PDH signature, with a tight reduction from 
factoring N . 

Our lossless compression algorithm also works for Rabin encryption, but in 
reverse. A (|logN)-bit plaintext is “decompressed” by mapping it to a (log IV)- 
bit number that has a ( | log N + 3)-bit modular square. This modular square 
is a “compressed” Rabin ciphertext. Numerous other cryptosystems also involve 
computing square roots modulo a composite modulus N , including Fiat-Shamir, 
Cocks’s identity-based encryption scheme, as well as various schemes enabling 
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ring signatures, signcryption, and so on. Our techniques enable a similar 33% 
bandwidth reduction for these schemes. 

Related Work. Like Coron’s work, our techniques build upon Brigitte Vallee’s 
elegant analysis of the distribution, in Z/A^Z, of integers in BM,h,h' = {a; G 
[l,fV) : h < a;^(modA^) < h'} for h' — h < - i.e., integers with modular 

squares in a “narrow” interval. We provide a self-contained discussion of her 
results in section 3. 

Some previous work has been done on compressing Rabin and low-exponent 
RSA signatures - in particular, Bernstein [7] mentions that one can simply re- 
move the - log 2 N least significant bits of any regular Rabin or RSA signature, 
and the verifier can use Coppersmith’s method [17] to recover those bits. Ble- 
ichenbacher [8] describes an improvement: the signer can use continued fractions 
to express the signature s as a/b{modN), where a is about log 2 N bits and 
b is about - log 2 N bits, and send a as the signature. The verifier checks that 
c = a^/H{m){modN) is an power (namely 5®) over Z. The drawback of 
these methods, though they arguably reduce Rabin signature length to ^ log 2 N 
bits, is that they do not allow message recovery; the verifier needs m before 
verifying, which effectively adds to the signature length. These methods also do 
not appear to be very broadly applicable; e.g., they do not appear to lead to 
low-bit-length encryption, signcryption and aggregate signature schemes. 

As mentioned above, Coron [16] uses a “compressed” output space for the 
hash function in a Rabin signature scheme, but the partial-domain hash signa- 
tures themselves are still logA^ bits. 

Organization of the Paper. This paper is organized as follows. After noting 
some preliminaries in Section 2, we describe Vallee’s distributional observations 
and her “quasi-uniform” drawing algorithm in section 3. In section 4, we describe 
our perfectly uniform drawing algorithm, and our improvement upon Coron’s 
results regarding Rabin-PDH. We describe our compression algorithm in section 
5, after which we describe compressed Rabin encryption and signature schemes 
in section 6. Finally, in Section 7, we mention other cryptosystems - such as 
signcryption, aggregate signature and ring signature schemes - for which our 
compression algorithm allows a 33% bandwidth reduction. 

2 Preliminaries 

We gather some mathematical notation here for convenience. Let {0, 1}* denote 
the set of all bit strings, and let {0,1}” denote the set of all bit-strings of length 
n. For a real number r, [r] denotes the ceiling of r, that is, the smallest integer 
value greater than or equal to r. Similarly, [rj denotes the floor of r, that is, 
the largest integer value less than or equal to r. Finally, [r] denotes the closest 
integer to r. Let the symbol || denote concatenation. 

Throughout, N will denote a suitable integer modulus. To be suitable, N 
should at least be computationally hard to factor using any modern factoring 
algorithm. In practice, one often generates N as the product of two large prime 
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numbers p and q - e.g., 512 bits apiece. However, one could choose N differently 
for our schemes, if desired. For example, setting N = p'^q for d > 1 can lead to 
efficiency advantages, though one should be wary of setting d too large [11]. 

Let Biq^h,h' = {a; € [l,fV] : d < x^(modfV) < h'} for integers h and h' and 
suitable modulus N - i.e., the set of integers with modular squares in [h, h'). Let 
B be shorthand for Bf^ h h^ when TV, h and h' are understood. 

A “lattice” consists of the set of all vectors that can be generated as integer 
linear combinations of a set of basis vectors. For example, if (a, b) and (c, d) are 
two basis vectors in two-dimensional space, the lattice that they generate is the 
set of vectors {(fcia -I- fc 2 C, k\b + k^d) : fci, G Z}. 

3 Distribution of Numbers with Small Modular Squares 

Developing a compressed representation of numbers in B]\[^h,h' that is efficiently 
computable and invertible requires an understanding of how numbers in B]\[^h,h' 
are distributed in [0, N/2). The compression algorithm works, at a high level, by 
taking this distribution into account. 

In [33], Vallee describes the “global” distribution of Biq^h,h' in [0,A^/2) in 
terms of its “local” distribution in each of a set of Farey intervals that covers 
[0, N/2). She then describes each local distribution in terms of points of a lattice 
that lie in the region between two parabolas. For h' — h > the distri- 

bution of i? 7 v_/i_^/-elements among the Farey intervals is “quasi-independent,” 
allowing her to construct an algorithm that draws integers from Bjq^h.h' “quasi- 
uniformly.” Since Vallee’s analysis forms the basis of our compression algorithm, 
we review it in detail in this section. 



3.1 Farey Sequences 

Some properties of Farey sequences are collected in [20]; we recall them below. 

Definition 1 (Farey Sequence). The Farey sequence !Fk of order k is the 
ascending sequence of fractions ff- with 1 < Ui < bi < k and 

gcd{ai,bi) = 1. 

The characteristic property of Farey sequences is expressed in the following the- 
orem [20]: 

Theorem 1. If ^ and are consecutive in Tk, then biOi+i — Oibi+i = 1. 

Another useful theorem concerning Farey sequences is the following: 

Theorem 2. If and are consecutive in Tk, then bi + b,+i > k. 

The latter theorem follows from the fact that {at + ai+i)/{bi + 6i+i), the so- 
called “mediant” of Qi/bi and Ui+i/bi+i, is between Ui/bi and Ui+i/bi+i and 
would be in iFk if bt + bi^i < k. Farey sequences lead naturally to the notion 
of a Farey partition, in which the set of mediants partition the interval [0, N/2) 
into subintervals. The formal definition is as follows. 
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Definition 2 (Farey Partition). The Farey partition of order k of the interval 
[0,lV/2) is the set of intervals J{ai,bi) = [ ^ 2 lb-^~^+b^ ^ ‘' 2 (b^+V^+1^ ) > where ^ is 
the i-th term in !Fk- 

So that each “end” of [0,A^/2) is covered by the partition, we set (ao,bo) = 
(oi, 61 ) and (ttz+i, 6 z+i) = (az 7 bz), where Qz/bz = 1/1 is the final fraction in the 
Farey sequence. 

Vallee found it convenient to use another set of intervals I{ai,bi), called 
“Farey intervals,” that are related to J{ai,bi). 

Definition 3 (Farey Interval). The Farey interval I{ai,bi) of order k is the 
open interval with center and radius where ffr is the i-th term in Tk- 

Using Theorems 1 and 2, one can easily prove that /(ui, bf) contains J(ai, 5i), and 
that the interval I{ai,bi) is no more than twice as wide as the interval J{ai,bi) 
[1]. One can also prove that every number in [0, N/2) is covered by at least one, 
and at most two, Farey intervals - e.g., by showing that, for every i, /(oi-i, 6 i_i) 
intersects I{ai,bi), but neither /(ai_i, 6 i_i) nor /(ai+i, 6 i+i) contains the center 
of I{ai,bi). Vallee probably favored using the Farey intervals rather than the 
J{ai,bi) in her analysis, because (roughly speaking) the fact that each I{ai,bi) 
is symmetric about UiN /2bi makes her analysis cleaner. A “Farey Covering,” 
which is analogous to a Farey partition, is then defined as follows. 

Definition 4 (Farey Covering). The Farey covering of order k of the interval 
[0,fV/2) is the set Farey intervals I{ai,bi) of order k. 

3.2 The Connection between Farey Sequences and B’s Distribution 

Although it is far from obvious, Farey sequences have a close connection with 
the distribution in Z/VZ of integers in Biq^h,h'- Vallee observed that the gaps 
between consecutive integers in B vary widely close to the rationals aiN/2bi of 
small denominator bi. Close to these rationals, the distribution might be called 
“clumpy,” with large gaps separating sequences of small gaps. However, as one 
considers wider intervals centered at aiN/2bi, the distribution of H-elements 
provably “evens out” - i.e., the ratio of the number of H-elements in the in- 
terval, versus the number one would expect if the H-elements were distributed 
uniformly, approaches 1. Roughly speaking, the width of interval needed before 
the “dumpiness” can be disregarded is inversely proportional to bi. This is one 
reason why Farey intervals are useful for analyzing B's distribution; the diameter 
of /(oi, 6 i) is also inversely proportional to bi. 

Building on the above observations, Vallee ultimately proved that the number 
of RAr_;i^?i'-elements in /(oj, bi) is essentially proportional to the width of /(oj, bf) 
(as one would expect), as long as h' — h is large enough. Formally, Vallee proved 
the following theorem [33] . 

Theorem 3. For —h = h' > and k = ^, the subset Bjq^h.h' and the 

Farey covering of order k are quasi-independent. 

Vallee defines quasi-independence as follows. 
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Definition 5 (Quasi-Independence). A subset X and a covering y = {Yj} of 
Zat are quasi-independent if, for allj, the sets X andYj are (h,l2) -independent 
for some positive constants l\ and I2 - i-e., l\ < plfx)^Y - ) — ^2- 

Clearly, this definition is meaningless unless l\ and I 2 are independent of N. 
Vallee proves that | and ^2 = 4 suffice when —h = h' > and k = ^. 

This means that, for these parameters, any given Farey interval has no more 
than I 2 /I 1 = 20 times the “density” of SAr,ft^/i'-elements than any other Farey 
interval. 

Interestingly, Vallee’s proof of Theorem 3 is essentially constructive. To an- 
alyze the distribution of BAr,h,/i'-elements in the “local” region I{ai,bi), Vallee 
associates each B]\[^h,h'-Aeinent with a point that is in a particular lattice and 
that lies in the region between two particular parabolas. She then partitions the 
lattice into a set of parallel lines. The number of lines may be very large - e.g., 
superpolynomial in log N. Her distribution analysis then becomes “even more 
local”; she provides upper and lower bounds on how many associated lattice 
points can occur on each line (except for at most 6 of the lines, for which she 
only provides upper bounds). These bounds imply similar bounds on the num- 
ber of i?Ar_A,/i'-elements in I{ai,bi). Her constructive approach results in what 
one may call a “quasi-enumeration” of Bx,h,h'-Aemeiits in I(ai,bi), in which 
each element is indexed first by the line of its associated lattice point, and then 
by the lattice point’s position on the line. This quasi-enumeration is crucial 
to Vallee’s “quasi-uniform” drawing algorithm (subsection 3.3), to our uniform 
drawing algorithm (section 4), and to our algorithms for losslessly compressing 
.BAT^A.h'-elements (section 5). 

Before discussing these algorithms, we review the details of Vallee’s analysis. 
Set xo to be the closest integer to (the center of the Farey interval). If a; = 
xq-\-u is in Bx.h,h', then h < a;g-|-2a:oM-l-u^( mod N) < h' . Now, let L{xo) be the 
lattice generated by the vectors (1, 2a;o) and (0, N). Then, x = xo~\-u is in Bx,h,h' 
precisely when there is a w such that (u, w) G B(xq) and h < Xg-hw-l-u^ < h' . The 
latter requirement implies that (m, w) is in between the two parabolas defined, 
in variables u' and w' , by the formulas Xq-\-w'-\- = h and Xq-\-w' -\- u'“^ = h' . 

Thus, if we set uq = xq — then each x € Bx,h,h' H I{ai,bi) corresponds to 
a lattice point in: 

P(a*, bi) = {{u, w) G L{xo) '■ |m + uo| < and h < x^ -\- w -\- < h'}. (1) 

ZOi 

It may seem like a fairly complicated task to approximate how many lattice 
points in L{xq) are between the two parabolas defined above^, but, as Vallee 
describes, it is possible to find a lattice basis of L{xq) in which the basis vectors 
are each short, with one basis vector being “quasi-horizontal” and the other 
being “quasi-vertical.” The basis is (r, s) with: 



^ Indeed, finding all of the L{xo) points on a single parabola is equivalent to finding 
all of a number’s modular square roots, which is equivalent to factoring. 
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r = bi{l, 2xo) - a*(0, N) = {bi, 26*uo) , (2) 

N 

s = 6i_i(l,2a;o) - ai_i(0,lV) = (5i_i, — + 26*_itto) . (3) 

Recall that |mo| < 5, and bi < k with k = 

Having computed this short lattice basis, Vallee considers the distribution of 
P{ai, 6i)-points (and hence _B-elements) on individual lines parallel to veer. Each 
point in P{ai, bi) lies on a quasi-horizontal line that intersects the vertical axis at 
ordinate wo—vN/bi for some rational index v G [0, {h'—h)^/16biN+{h'—h)bi/N], 
where wq = h' — Xq + Uq and where consecutive indices differ by 1 . For lines with 
indices from v\ = \2{h' — h)bi/N) to = [(/i' — /i)^/166i-/Vj , which intersect 
the region between the two parabolas in an area she dubs the “legs” (which is 
in between the “chest” and the “feet”), Vallee proves the following theorem: 

Theorem 4. The number n{v) of points in P{ai,bi) on the line with index v in 
the legs satisfies: < n{v) < 

Her bounds on each individual line in the legs imply lower and upper bounds on 
the total number of lattice points in the legs, using the inequalities: 



^ 1 dv 

'' 01 V 

^11 n dv 1 „ ^ 

~~/= ^ ~^= + / ~/= — ~~j= + 2 >/ u 2 • 



( 4 ) 

( 5 ) 



For lines with indices in [0, 2{h' —h)bi/N] or [{h' —h)"^ /ItSbiN, {h' —h)"^ /lt!>biN+ 
{h' — h)bi/N] that intersect the “chest” or “feet,” Vallee provides no nontrivial 
lower bounds on the number of P(oi, 6i)-points they may contain, only upper 
bounds. For h'-h = one can verify Vallee’s results that there are at most 

4 lines in the chest, each with fewer than f-\/(ui — ^)N/bi + 1 points, and that 
there are at most 2 lines in the feet, each with fewer than 8 points. Ultimately, 
Vallee proves Theorem 3 using her lower bounds for the legs, and upper bounds 
for the chest, legs and feet. 



3.3 Vallee’s Quasi-uniform Drawing Algorithm 

Vallee uses the above results, particularly her lower and upper bounds for the 
legs, to obtain a concrete algorithm for drawing integers from h quasi- 
uniformly when h' — h > For a quasi-uniform drawing algorithm, the 

respective probabilities of any two HAr^^^/i'-elements being drawn are within a 
constant factor of each other; formally: 

Definition 6 (Quasi-Uniform). A drawing algorithm C, defined over a finite 
set U and with values in a subset X ofl^N, is said to be (li,l 2 )-uniform ( or quasi- 
uniform) for constants l\ and I 2 if, for all x £ X, < Pr[u ^ U \ C{u) = 
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Vallee’s algorithm is as follows: 

1. Randomly Select a Starting Point: Pick random integer x G [0,./V/2) with 
uniform distribution. 

2. Determine Farey Interval: Use continued fractions to compute (ai,bi) for 
which X G J{ai, bi). 

3. Evaluate the Number of Points in P{ai,bi): Compute Xq = count 

exactly the number Uc+f of points in the chest and feet, and obtain a lower 
bound ni on the number of points in the legs using Vallee’s lower bounds 
(with Equation 4). 

4. Pick a Point from P{ai, bi): Randomly select an integer in t G [1, Uc+f + ni] 
with uniform distribution. If t < Uc+f, output the appropriate point from 
the chest or feet. Else, use Equation 4 to determine which quasi-horizontal 
line would contain the point in the legs if each line met Vallee’s lower 
bounds, and randomly choose a point in P{ai,bi) on that line with uniform 
distribution. 

5. Compute x' from the Chosen Point in P{ai,bi): Let (u,w) be the lattice 
point output by the previous step. Set x' = xq + u. 

Remark 1. In Step 3, one can quickly can get an exact count for how many points 
are in the chest and the feet by counting the exact number of points on each 
line, using simple geometry. (Recall that there are at most 4 lines in the chest, 
2 in the feet.) A line intersects one of the two parabolas in at most 4 locations, 
possibly cutting the line into two segments that lie in between the parabolas. 
After finding the first and last lattice points on each segment, extrapolating 
the total number of points on each segment is easy since the x-coordinates of 
consecutive lattice points differ by bi (see Equation 2). Vallee avoids counting 
the number of points on lines in the legs, since the number of lines in the legs 
may be super-polynomial in log N. 



The drawing algorithm outputs an x' G Biq^h,h' that is in the same J{ai, bi) 
interval as x. A wider interval (recall that /(a^, hi) has diameter for 1 < < 

fc, and that J{ai,bi) is at least half as wide as I{ai,bi)) has a higher chance 
of being chosen in the first two steps. However, once an interval is chosen, any 
given R-element in that interval has a lower probability of being chosen if the 
interval is wide than if it is narrow. On balance, these factors even out (this is 
quasi-independence), and the drawing algorithm is quasi-uniform. 

In computing I 2 /I 1 , there are three things to consider. First, different Farey 
intervals may have different “densities” of i?Ar_/i_?,'-elements; specifically, the ratio 
may be as much as 20 (see discussion after Theorem 3). Second, in Step 2, we 
used J{ai,bi) rather than I{ai,bi)] since I{ai,bi) is between 1 and 2 times as 
wide as J{ai,bi), this costs us another factor of 2. Finally, within the J{ai,bi) 
interval, different lines may be closer to the lower bounds or closer to the upper 
bounds, leading to a factor of ^ = |. Thus, I 2 /I 1 is at most 20 • 2 • | = 140. 
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4 Improving Vallee’s and Coron’s Results 

In this section, we describe how to modify Vallee’s quasi-uniform drawing al- 
gorithm to make it perfectly uniform. Our perfectly uniform drawing algorithm 
gives us an immediate improvement upon Coron’s proof of security for Rabin- 
PDH; in particular, it allows us to reduce the output size of the partial domain 
hash function (see subsection 4.2). More generally, the fact that a simulator 
can draw R-elements uniformly in responding to an adversary’s hash queries 
allows us (when combined with the compression schemes of Section 5) to reduce 
the bandwidth of several signature-related cryptosystems, including aggregate 
signature schemes, ring signature schemes and signcryption schemes. 



4.1 A Perfectly Uniform Drawing Algorithm 

Modifying Vallee’s quasi-uniform drawing algorithm to make it perfectly uni- 
form is surprisingly simple. Our modification is based on our observation that, 
for any i?Ar,/i_h'-element (with h' — h> as required by Vallee), anyone can 

efficiently compute the exact probability Px' that Vallee’s quasi-uniform draw- 
ing algorithm will output x'. For example, a simulator in a security proof can 
compute this probability (without, of course, needing the factorization of N). 

Assume, for now, that we can efficiently compute Px' for any given x' . Let 
Pmin be a lower bound on such probabilities over all RAr_h_/i'-elements. Then, the 
improved drawing algorithm is as follows: 

1. Use Vallee’s method to pick an x' € BM,h,h' quasi-uniformly. 

2. Compute Px'- 

3. Goto Step 1 with probability {Px' — Pmin)/Px'- 

4. Otherwise, output x' . 

Since Vallee’s drawing algorithm is quasi-uniform, the expected number of 
“Goto” loops per draw is a small constant; thus, the simulator’s estimated time- 
complexity increases only by a constant factor. The probability that x' is cho- 
sen in Step 1 and that it “survives” Step 3 is the same for all x' - namely, 
Px' ■ (1 — ) = Pjnin] for this reason, and since each run of Vallee’s 

algorithm is independent, the algorithm is perfectly uniform. 

Now, given x' , how does one (say, a simulator) compute Px'"! First, the sim- 
ulator determines the at most two Farey intervals I{ai,bi) and /(ai+i,6i+i) 
that contain x' . For I{ai,bi), the simulator computes the index Vi of the quasi- 
horizontal line that contains the lattice point {ui,Wi) associated to x', and 
the exact number n{vi) of lattice points on ly.. Similarly, if there is a second 
Farey interval /(oi+i, 6i+i) that contains x', the simulator computes Xi+i, Ivi+i, 
(ui+i, Wi+i), and n{vi+i). Then, using the variables x and t from Vallee’s draw- 
ing algorithm, the probability that x' will be chosen is: 



{Pr[x G J{ai,bi)]) ■ {Pr[U & Ivi | a: G J(ai,6*)]) • 




{Pr[x G J(ai+i,6j+i)]) • (Pr[ti+i G ly, 



X G J(a*+i, 
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where we use Pr[ti G to denote the probability that the choice of t in Step 
4 of Vallee’s algorithm will map to the line ly^ . 

Remark 2. So that the above terminology works when {ui,Wi) (or {ui+\,Wi +i)) 
lies in the chest or feet, we can pretend that these ric+f points lie on a single 
“line.” 

Focusing on the first summand in the expression above, the simulator can 
compute each of the two probabilities in this term efficiently. First, the simu- 
lator computes the number of integers in denoting this number by jf, 

Pr[x G J{ai,bi)\ is simply ji/\N/2\. Next, for the second probability, suppose 
that ric + f + ni is the approximation used in Step 4 of Vallee’s algorithm derived 
from her lower bounds (namely, n; = (V~^2 + 1 — v^)l) legs, and 

that ny^ = \ ^/vi + 1 1 — [ Is her approximation for the number 

of points on ly^. (Warning: our Vi notation collides here with Vallee’s definition 
of vi and V 2 -) Then, Pr[t € ly^ | a; G J{ai,bi)] = nyj{ric+f + ni). In a similar 
fashion, the simulator can compute the necessary probabilities for /(a^+i, 6i+i), 
thereby obtaining a perfectly uniform drawing algorithm. 

Vallee was presumably content with finding a quasi-uniform drawing al- 
gorithm, since a uniform algorithm would not have improved her result of a 
provable exp(-\/(4/3) log n log logn)-time factoring algorithm by a significant 
amount. However, as described below, our uniform drawing algorithm has a 
significant practical impact on Coron’s partial-domain hash variant of Rabin’s 
signature scheme. 

4.2 Improving Coron’s Results for Rabin-PDH 

Coron [16] provided a random-oracle security proof for a partial-domain hash 
Rabin signature scheme (Rabin-PDH), in which the signature x' is a modular 
square root (up to a fudge factor) of 7 • Pl{m) + f{m), where R is a partial- 
domain hash with output space [0,7V^] for |-|-e</3<l, /isa possibly 
constant function, and 7 is a constant. In Rabin signing, a common fudge factor 
is to accept the signature if x'"^ = 0(7 • H{m) + f{m)){modN) for any c G 
{—2, —1,1,2}, when N = pq for p = 3(mod8) and q = 7(mod8). In this case, 
x' is an integer in for h = cf{m) and h' = h + C'jN^ if 07 is positive, 

or for h = h' + C'jN^ and h' = cf{m) if 07 is negative. Coron’s proof requires 
that 7 be very small in magnitude (e.g., 16 or 256) [16], so that h' — h = \cjN^\ 
is sufficiently small. One reason that Rabin-PDH was an interesting problem 
for Coron to analyze was that partial-domain hashes were already being used by 
standardized encoding schemes. For example, ISO 9796-2 defined the encoding 
p{m) = 4Ai6l|mlji7(TO)l]BCi6. 

As mentioned above, Coron provides a proof of security for Rabin-PDH when 
h' — h is at least (| + e) log V bits, but this “e” can be quite large in practice. 
Coron’s security proof relies completely on his algorithm for drawing integers 
from with a distribution whose distance from uniform is at most 16V . 

This statistical distance must be very small, so that an adversary cannot distin- 
guish a real attack from a simulated attack, in which the simulator uses Coron’s 
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drawing algorithm to respond to hash queries. For the statistical distance to be at 
most 2“^, we must have that 4 — log N < —k, which implies that e > ■ 

This implies that h' — h is at least (| + e) log N = ^ log N + bits. When 

fc = 80, for example, h' — h must be at least | log N + 364 bits. This means that, 
for A: = 80, Coron’s technique does not reduce the minimum output size of the 
hash function at all, until N is at least 3 • 364 = 1092 bits! 

We get a better, and much more practical, provable security result by using 
our perfectly uniform drawing algorithm. In particular, since our algorithm al- 
lows us to draw SAr_;i^/i/-elements uniformly for h' — h > we can prove 

a reduction from factoring to Rabin-PDH when h' — h is only | log -I- 3 bits, 
over 300 bits less than Coron’s result for k = 80! Moreover, the proof of security 
is tighter than Coron’s proof for two reasons: 1) the adversary cannot possi- 
bly distinguish the simulated distribution from uniform; and 2) Coron’s proof, 
which adapts his proof for RSA-FDH [15], does not provide a tight reduction 
from factoring (cf. Bernstein [6]). 

For completeness, we prove the security of a specific variant of our improved 
Rabin-PDH, though it should be clear that our drawing algorithm can work 
with essentially any variant. We pick the one (succintly) described below for 
its simplicity. Other variants may have advantages; e.g., Bernstein’s [6] security 
reduction is tighter by a small constant, and Bellare and Rogaway [3] describe 
an encoding scheme that allows (at least partial) recovery of the message being 
signed. 

Let N be the public key, with N = pq for p = 3(mod8) and q = 7(mod8). 
Let Aa,b be the unique number modulo N that satisfies Aa^b = a(modp) and 
Aa^b = b{modq). Let Hi : {0,1}* ^ [h,h') be the partial-domain hash function 
with h" = h' — h{modN) > 8fV^/^, and H 2 : (0, 1}* ^ {A±i_±i| be a keyed 
hash function, with the key known only to the signer. To sign M , the signer first 
computes m = Hi{M), and then: 

1. Sets s' = ?n("-P-9+5)/8 mod n if (^) = 1; else, sets s' = (m/2)("“P“^+®)/®; 

2. Sends s = s' ■ H 2 {m) mod n. 

To verify, the recipient checks that either s^ = zLHi{M){modN) or s^ = ±2 • 
iLi(M)( mod N). This scheme can be easily modified, a la Bernstein [6], to avoid 
the computation of Jacobi symbols. 

In Appendix A, we prove the following theorem. 

Theorem 5. Assume that there is a chosen-message attack adversary A that 
breaks our Rabin-PDH scheme for modulus N in time t with probability e. Then, 
in the random oracle model, there is an algorithm B that factors N in time t' 
with probability e' , where e' > — j^), and t' = 0{t -\- qn log^ N). 

5 The Compression Algorithms 

In the previous section, we reduced the permissible output size of the hash 
function in Rabin-PDH to about | log N bits, but Rabin-PDH signatures are 
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still log-ZV bits. In this section, we describe compression algorithms that allow 
us to compress not only Rabin-PDH signatures, but also Rabin ciphertexts (not 
to mention aggregate signatures, ring signatures, signcryptions, and so on). 

A prerequisite of any compression algorithm is to understand the distribu- 
tion of what is being compressed. Vallee gives a constructive characterization 
of the distribution, in Z/fVZ, of integers in BM,h,h'] we leverage her character- 
ization to construct a lossless compression algorithms. Roughly speaking, we 
associate i?Ar^?i,h'-elements to strings of about log 2 (ft-' — h) bits that specify the 
.BAT^/i^h'-element’s Farey interval and its “address” (according to Vallee’s rough 
enumeration) within that interval. For a R-element in a wider Farey interval, 
we use fewer bits of the bit string to specify the Farey interval and more bits to 
specify its address; on balance, it evens out. 

Our compression algorithms involve two nondeterministic quasi-bijections, 
6 : Bjq^h.h' X ^ | 0 ^ l}'= 2 -i-iog 2 (/i'-?i) (use(;j in signature schemes) and 
7T : {0, -^) X V ^ Biq^h,h' (used in the encryption scheme), for 

small nonnegative constants c\ and C 2 . These mappings are not actual bijections; 
we call them “nondeterministic quasi-bijections” since the image of an element 
under each mapping or its inverse has a small constant cardinality; formally: 

Definition 7 (Nondeterministic Quasi-bijection). For sets {X,T>,y) and 
constants (Zi, I 2 , h, h), we say tt : X^V ^ y is an h, I 4 ) -nondeterministic- 

quasi-hijection if: 

1. For all X G X, the cardinality of {Tr{x,d) : d G V} is in [Zi,Z 2 ]- 

2. For all y G y, the cardinality of {x \3d GV with t:{x, d) = y} is in [Z3, Z4]. 

Above, T> is an auxiliary set - e.g., it may be used as a source of (a small number 
of) random dummy bits if one wishes to make tt randomized. The purpose of T> 
is simply to make tt an actual “mapping,” with a single output for a given input 
(even though for a single x G X there may be multiple outputs) . Notice that an 
actual bijection is a (1, 1 , 1 , l)-quasi-bijection. 

Roughly speaking, our signature scheme uses 9 to compress, without loss, 
a Rabin-PDH signature (an element of BM,h,h') to a short bit string. Since the 
“entropy” of the hash output in Rabin-PDH is about | log N bits, one may hope 
that a Rabin-PDH signature can also be this short; in fact, within a few bits, this 
is precisely the case. To verify the compressed signature, it is decompressed to 
recover the ordinary Rabin-PDH signature, which is then verified in the normal 
fashion. Our encryption scheme uses tt to map encoded bit strings to integers in 
BN,h,h', which are then squared to create short ciphertexts. Both 9 and tt are 
efficiently computable and efficiently invertible - i.e., it is easy to recover x from 
Tr{x,d) or x' from 9{x',d) - without any trapdoor information. 

Why don’t we just replace tt with 9~^7 Indeed, we could if 9 were a bijec- 
tion, but (unfortunately) 9 maps each i?Ar_/i_ft/-element to possibly several short 
strings; if we used 9~^ to map short encoded messages to i?Ar,/i,h'-elements, mul- 
tiple plaintexts would correspond to the same ciphertext, which we wish to avoid. 
Thus, although the only real difference between tt and 9~^ is that we reduce the 
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size of tt’s domain to ensure that it is an injection, we find it convenient to keep 
the notation separate. 

5.1 Mapping JB-Elements to Short Strings (The 9 Quasi-bijection) 

Below, we give one approach to the 9 quasi-bijection. Roughly speaking, 9{x’ , d) 
re-expresses a h -element x' according to its Farey interval and its “address” 
(using Vallee’s lattice) within the Farey interval. For example, a “naive” way to 
re-express x' is as (ai,bi,v,l), where (ai,bi) defines x'^s Farey interval, v is the 
index of the quasi-horizontal line that contains the lattice point associated to x\ 
and I represents the lattice point’s position on the line. In this format, x' has at 
most two representations, one corresponding to each Farey interval that contains 
x'] the only effect of “d” is to pick one of these representations. We describe a 
different format below that has tighter compression and does not suffer from the 
parsing problems of the naive approach. 

The 6 quasi-bijection below maps x' G Bff,h,h' to a short string in 
where h” is a parameter whose value will be calibrated later. 

Computing 6{x ' , d) : 

1. Determine {ai,bi) for which x' is in J{ai,bi). 

2. Compute xieft, the smallest integer in [0, h''] with {xieft + 1) ' ^ in bi), 
and Xright, the largest integer in \}9,h"] with Xright • in J{ai,bi). 

3. Compute Uc+f, the number of lattice points in the chest and feet of P{ai,bi), 
and ni, an upper bound for the number of points in the legs. 

4. Using Vallee’s enumeration, select one integer in Xright — xieft (there may 
be several) that corresponds to the lattice point {u, w) that is associated to 
x' . More specifically: 

- If {u, w) is the point in the chest or feet, set c=l. 

- Otherwise, let s„ be Vallee’s upper bound for the number of leg lattice 

points on quasi-horizontal lines with index at most v. Compute the index v 
of the line containing (u,w). Let n„ be the actual number of lattice points 
on the line with index v and let n'^ = — s„_i be Vallee’s upper-bound 

estimate. Suppose that x' is the lattice point on the line. Pick an integer 

C G {jlc+f Sy— 1 -t- Tly , n,c+f Sy— 1 -t- Ti^ . 

- Pick an integer c' G {{x„ght ~ a:;e/t) : {x„ght ~ a:;e/t) ]■ Set 

X = Xieft + d . 

Although not mentioned explicitly in the algorithm description above, Vallee’s 
quasi-enumeration, and the steps that use this quasi-enumeration, depend on 
the values of h and h' (which we assume to be public, and which could be 
most conveniently be set to 0 and 8fV^/^). Shortly, we will calibrate h" so that 
Xright ~ Xieft is larger than (but within a constant of) Uc+ f + ni. In computing 
6{x',d), d is used - either deterministically or as a source of random bits - to 
pick the values of c and d . Given 9{x',d), one can recover the value of x' as 
follows: 




192 Craig Gentry 



Computing 6 ^{x): 

1. Determine (oj, bi) for which a; • ^ is in J{ai, bi). 

2. Compute xieft, the smallest integer in [0, h''] with {xiejt + 1) ' ^ in bi), 

and Xright, the largest integer in with Xright ' in J{<ii,bi). 

3. Compute Uc+f, the number of lattice points in the chest and feet of P{ai,bi), 
and ni, an upper bound for the number of points in the legs. 

4. Compute c' = x — xieft- From c' and Uc+f + ni, compute the value of c. If 
c < n-c+/, let {u, w) be the point in the chest or feet. Otherwise, compute 
the index v such that c G (nc+/ + s„_i,nc+/ + s„], as well as the value of 
k (defined as above), and let (u,w) be the point on the quasi-horizontal 
line with index v. 

5. Set x' = e-'^{x) = [2^)+u. 

Now, we calibrate h” to be as small as possible while still allowing the prop- 
erty that at least one bit string in [0, h"\ is uniquely associated to each 
element. We can ensure this property if, for every interval, Xright — xieft > 
Uc+f + ni - i.e., the number of bit strings associated to J{ai,bi) is at least the 
number of points in P{ai,bi). 

Since xje/t ^ and {xright + 1) are separated by a distance greater than the 
width of J{ai, bi), we get that (xright-xieft + f)-^ > where the latter term 

is the half of the diameter of I{ai, bi); thus, we get Xright — xieft -I- 1 > ^ ■ 

To determine an h" for which ^ — ^^-i - f + ni, we use an upper bound 

proven by Vallee [33]: Uc+f + ni < 4 ■ Thus, if h" > 8{h' — h), 

then Xright — Xieft + 1 > nc+ f + ni. As long as the ni estimate is an integer, this 
implies that Xright — xieft > n-c+f + ni, as desired. So, we can set h" = 8{h' — h). 
For this value of h” , the 9 mapping compresses i?Ar,h,/i'-elements to within 3 bits 
of the theoretical minimum. The reader can verify that 6 outputs an answer for 
every x' (i.e., l\ > 1) and that 9~^ has exactly one possible output for each x 
(i.e., I3 = U = 1). 

5.2 Mapping Short Strings to B-Elements (The tt Quasi-bijection) 

Like 6~^, the tt quasi-bijection maps short strings to i?Ar_/i_h'-elements. However, 
we would like tt to map short strings (e.g., plaintext strings) into Big^h,h' injec- 
tively (e.g., to allow correct decryption); thus, the set of short strings is smaller 
than the set of HAr_;i^/j/-elements (rather than the reverse). For that reason, tt 
uses Vallee’s lower bounds (unlike 9). Since tt is otherwise similar to 9~^, we 
relegate a precise description of tt to Appendix B. 

In terms of performance, all steps of the 9 and tt quasi-bijections and their 
inverses are 0(log^ N), except (possibly) the determination of the Farey interval, 
which uses continued fractions. However, even the continued fraction step can 
be computed in 0(log^ N) time - e.g., using adaptations of techniques from [14]. 




How to Compress Rabin Ciphertexts and Signatures (and More) 193 



6 Compressed Rabin-PDH Signing 

and Compressed Rabin-OAEP+ Encryption 

In this section, we describe how to use the 9 and tt quasi-permutations to achieve 
a 33% reduction in the size of Rabin signatures and Rabin ciphertexts. 

The signature case is easy to describe. Recall that, in Section 4.2, we de- 
scribed how to construct a Rabin-PDH signature s that satisfies either = 
±Hi{M){modN) or = ±2 • Hi{M){modN) for Hi : {0, 1}* ^ [h, h'), where 
h' — h > For simplicity, let’s assume that = Hi{M){modN); the 

other cases can be handled similarly. In this case, we simply set the compressed 
Rabin-PDH signature to be 9]\[^h,h'{s,d) - i.e., the 9 quasi-permutation’s com- 
pression of s for modulus N and parameters h and h' . To verify the compressed 
Rabin-PDH signature, the verifier simply recovers s from 9N,h,h'{s,d), and then 
verifies s in the normal fashion. Note that anybody can create a compressed 
Rabin-PDH signature from a (non-compressed) Rabin-PDH signature, and vice 
versa, without needing trapdoor information - i.e., the compression algorithm is 
completely separate from the signing process. 

The proof of security for compressed Rabin-PDH follows easily from the proof 
of security for (non-compressed) Rabin-PDH. Specifically, let A be a chosen- 
message attack adversary against Compressed Rabin-PDH, and let B be chosen- 
message attack adversary against Rabin-PDH that interacts both with a “chal- 
lenger” and with A. To respond to A’s signature query on M, B queries the 
challenger regarding M, receives back Rabin-PDH signature x' , and sends x to 
A, where x = 9N,h,h'{x' ,d). Eventually, A aborts or sends B a forgery x* on a 
message M* that it has never queried. B aborts or computes x'* = 9jj\ 
and sends x'* to the challenger as its forgery. 

The encryption case is more complicated, because the compression algorithm 
cannot be separated from the encryption process. Unfortunately, this fact - 
together with the fact the encryption scheme is not quite a one-way permutation 
as required by OAEP-I-, but rather a quasi-hijection - requires us redo the entire 
OAEP-I- security proof, albeit with relatively minor modifications. At a high 
level, encryption and decryption proceed as follows: 

Encryption: 

1. Compute X G [1, h"], an encoding of M. 

2. Compute x' = TTN,h,h'{x, d) G BN,h,h' C [0, N/2). 

3. Compute y = x'^(modfV). 

4. Output c = y — h as the ciphertext. 

Decryption: 

1. Recover y from c and h. 

2. Compute each x' G BM,h,h' C [0,fV/2) such that x'^ = y(modfV). 

3. For each x' , compute the values of a; = h'(^^ ^)- 

4. For each x, undo the message encoding, and confirm that the message M is 
encoded correctly. 

5. If an a; is encoded correctly, output the decryption; otherwise, indicate de- 
cryption failure. 
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For Vallee’s parameters, for a given x' ^ there are at most two values of x in Step 
3 - i.e., ^4 = 2 - so the encoding of at most 4 values of x must be checked. 
As mentioned in section 5 and further discussed in Appendix B, our preferred 
parameters are h' — h = and h” < . 

Although we could use any of a variety of encoding schemes, we prove that 
Compressed Rabin-OAEP+ has a tight reduction to factoring. The OAEP+ 
encoding scheme uses three hash functions: 

G : {0,1}'=° ^ {0,1}™, iJ' : {0,1}™+'=° ^ {0,l}'=b and H : {0, !}™+'=i ^ {0,1}'=° 

where m,ko,ki are security parameters. The quantities 2“'=° and 2“'=i should 
be negligible. Let n = m + ko + ki = log ft," < | log TV + |. To encode message 
M G {0, 1}™, the sender: 

1. Picks a random r G {0, 1}'=°. 

2. Sets s <— (G(r) 0 M)\\H' {r\\M) and t ^ H{s) (B r. 

3. Sets a: <— s||t, an n-bit integer. 

In Step 4 of Decryption, the recipient decodes by parsing each candidate x into 
Si\\ti for Si G {0, 1}™+'=! and U G {0, 1}'=°, and then parsing Si into for s'||s" for 
s' G {0, 1}™ and s" G {0, 1}'=L For each z, the recipient computes n ^ ti®H{si) 
and Mi <— s' © G{ri), and tests whether s" = H'{n\\Mi). If there is a unique 
z for which the condition is satisfied, the recipient outputs Mi as the correct 
plaintext; otherwise, it indicates a decryption failure. For technical reasons in 
the security proof, we require that d = r - i.e., that the encrypter use r as the 
random bits in the computation of TiN,h,h'{x, d) - and that the decrypter indicate 
a decryption failure if this is not done. For compressed Rabin-OAEP©, we prove 
the following theorem in Appendix C. 

Theorem 6. Let A be an IND-CCA2 adversary that breaks Compressed Rabin- 
OAEP+ in time t with advantage e for modulus N . Then e < j^e' + {qh' + 
qD)/^^^ + {qo + l)g'G/2'=°, where e' is the success probability that a particular 
algorithm B can factor, t' = 0(t + qcqnTf + {qc + qH' + qu + qo) logfV), and 
Tf is the complexity of encryption. 

7 Extensions 

In the full version of the paper, we describe compressed signcryption, aggregate 
signature and ring signature schemes, in which we achieve a 33% bandwidth 
reduction in comparison to Rabin- variants of the schemes in [24] , [23] and [29] . 
We also note that our compression algorithms can be applied to allow shorter 
identity-based secret and public keys for the Fiat-Shamir signature scheme and 
Cocks’ identity-based encryption scheme. 
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A Security Proof for Improved Rabin-PDH 

To prove our scheme secure against existential forgery under chosen-message 
attacks, we construct the following game: 

Setup: B gives A the public key N, retaining Hi for use as a random oracle. 

Hash Queries: A can make a query Mi to the iLi-oracle at any time. If B 
has received an identical query before, it responds as it did before. Other- 
wise, B responds by first generating a random value c, G {—2,— 1,1,2} with 
uniform distribution. It then generates a number Si G Bff^ah,cih' with uni- 
form distribution and sets Hi{Mi) = sf/ci(modA^). It logs (Mi,Si) into its 
i?i-list. (When c, = ±2, there is a small complication - namely, Si must be cho- 
sen s.t. not only Cih(modn) < sf(modn) < Cih'(modn), but also sf(modn) G 
{cih{modn), . . . , Ci{h' — l)(modn)|. The simulator can accomplish this easily 
simply by discarding the sampled s,’s that don’t satisfy the latter inequality 
(50% of them for |c*|=2).) 

Signature Queries: A can make a query Mi to the iLi-oracle at any time. B 
responds by using Mi to recover Si from its iLi-list; it then sends Sj. 
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Forgery: Eventually, the adversary either aborts or outputs a signature s on a 
message M for which it has not made a signature query. 

One can easily confirm that B's i/i-query responses, as well as its signature 
responses, are indistinguishable from uniform; in fact, they are perfectly uniform. 

Any forgery that A manages to generate for message M must satisfy = 
±Hi(M)(modN) or = ±2 • Hi{M){modN). If A made no i/i-query at M, 
then its probability of success is at most 1/h". If A did make an i?i-query at M, 
then B recovers the value s' associated to M from its i/i-list. With probability 
i, gcd(s — s',N) gives a nontrivial factor of N. Thus, e' > and 

t' = 0{t + qHlog^ N). 

B Details of the tt Quasi-bijection 

Let X € [0,/i"], where h" is a parameter whose value will be calibrated later. 
The 7T quasi-permutations sends x to an element of Biq^h,h', as follows. 

Computing tt{x, d) : 

1. Compute X ■ and determine (ai,bi) for which the result is in J{ai,bi)- 

2. Compute x/e/t, the smallest integer in [0, h''] with {xieft -I- 1) • ^ in /(a^, bi), 
and Xright, the largest integer in [0, h"] with Xright • ^ in I{ai,bi). 

3. Compute Uc+f, the number of lattice points in the chest and feet of P{ai,bi), 
and ni, a lower bound for the number of points in the legs. 

4. Using Vallee’s enumeration, select one lattice point (u,w) (there may be 
several) that corresponds to a; — xieft- More specifically: 

- Pick an integer in c S ((nc+r + nA (nc+r + nA — — 1 

- If c < Uc + Uf, pick the lattice point (u,w) that has enumeration c in the 
chest or feet. 

- Otherwise, let s„ be Vallee’s lower-bound for the number of leg lattice 

points on quasi-horizontal lines with index at most v. Compute v such that 
s„_i < c — Uc+f < Sy. Let Uy be the number of lattice points on the line 
with index v and let n(, be Vallee’s lower-bound estimate. Pick an integer 
c' G )], and set (u, w) to be the point 

in P{ai,bi) on the line. 

5. Set x' = xq + u, where xq = . Output x' . 

We omit the description of 7r“^(a:'), since it should be clear from the above. Now, 
we mention some of the properties of the tt quasi-permutation. 

Choosing the parameters such that 0 < Xyight — xieft < ^c-i-/ + ni - i.e., 
such that the lower bound on the number of points in P{ai,bi) is greater than 
the number of bit strings associated to I{ai,bi) ~ ensures that h is at least 1, 
since one can always find a value for c in the computation of tt. Notice that 
{xright ~ Xieft ~ 1)^ < ’ where the latter term is the diameter of I{ai,bi)- 

This implies that Xright—xieft — f < ^ 2 b- n’^'' • consider the parameters used 
by Vallee. Vallee considered the case —h = h' = so that h' — h = 
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For this value of h' — h, Vallee proved a lower bound of ric+f + ni > 

(see [33]). Thus, if h” < then Xrrght ~ xieft - 1 < Uc+f + n/. As long 

as the ni estimate is an integer, this implies that Xright — xieft < '^c+f + tip as 
desired. To ensure that Xright — xieft is never zero, we want that 

h” > = 7V^/^/16 = ^^23'^ ’ where the latter is the diameter of the narrowest 

Farey interval. So, we can set h” to be anything between ’ 

values closer to the latter involve less ciphertext expansion. 

On the other hand, we would like I2 and to be small positive constants. 
This ensures that picking x (and d) uniformly and outputting 7r(a;, d) is a quasi- 
uniform drawing algorithm for BN^h,h' (this helps get a tight security proof for 
the encryption scheme). The computation of tt~^{x') outputs up to two values 
of X, exactly one for each Farey interval that contains x'; thus I 4 = 2. We 
use Vallee’s upper bounds to bound l2- Specifically, Vallee’s computations allow 
Uc+f + ni to be upper bounded by (1.004+ 0.125 + ^~g^ ) > 

allowing us to upper bound the number of possible values of c by 4, for h" . Also, 
there are at most [|] = 4 (see Vallee’s Leg Theorem) possible values of d , so I 2 

is at most 4 x 4 = 16. Accordingly, for h' — h = and h” = J , one 

gets a (1, 16, 1, 2) quasi-bijection. 



C Security Proof for Compressed Rabin-OAEP+ 

Recall the standard definition of security against adaptive chosen-ciphertext at- 
tack. An algorithm A “breaks” the encryption scheme if, in the following game, 
it outputs the correct value of b in the final stage with more than negligible 
advantage: 

Setup: The challenger generates a Rabin modulus N and hash functions G, H' 
and H, defined as above. It sends (V, G, H' , H) to A. 

Phase 1: A requests the challenger to decrypt ciphertexts of A’s choosing. 
Challenge: A chooses two plaintexts Mq and Mi and sends them to the chal- 
lenger. The challenger randomly chooses bit b G {0, 1}, encrypts Mb, and sends 
the ciphertext c to A. 

Phase 2: A again requests the challenger to decrypt ciphertexts of A’s choosing, 
other than the Challenge ciphertext. 

Output: Finally, A outputs a bit 6' G {0, 1}. 

We define A’s advantage as: Adv(A) = |Pr[6' = b] — ^j. 

In the game above, algorithm B plays the part of the challenger, using its 
its control over the random oracles G, H' and H to respond to A’s decryption 
queries. We say that the system is {t,e,qu,qa,qH',QH)-secure if no attacker 
limited to time t, to qn decryption queries, to qc G-queries, to qn' H' -queries, 
and to qn M-queries, has advantage more than e. Now, we define aspects of the 
game more precisely. 

Hash queries: A can query G, H' or H at any time. In responding to these 
queries, B maintains a G-list, iL'-list and iL-list logging queries and responses. If 
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A makes a query that is contained in one of B’s lists, B responds the same way 
it did before. Otherwise, for G, it generates a random m-bit string with uniform 
distribution, sends this to A as its G-query response, and logs ^’s G-query and 
its response on its G-list. It responds similarly to i?'-queries and i?-queries. We 
use the convention that before A makes an i/'-query on (ri,Mi), it makes a 
G-query on rj and an H-qaery on Si = (G(ri) 0 Mi)\\H' (nWMi). 

Challenge: At some point, A produces two plaintexts Mq,Mi G {0,1}™ on 
which it wishes to be challenged. B picks a random b G (0, 1} and encrypts Mb 
in the usual way. Let c* be the resulting ciphertext, and let s'* ,s"* ,t* ,r* , and 
M* denote the values corresponding to c* that would be obtained through the 
decryption process. 

Decryption Queries and Probability Analysis: A can make decryption 
queries at any time, subject to the constraint that it cannot query the Challenge 
ciphertext in Phase 2. Our treatment of decryption queries closely tracks Shoup’s 
analysis for trapdoor permutations encoded using OAEP 0 . Shoup’s analysis con- 
sists of a sequence of games Gi for 0 < z < 5, each game a slight modification 
of the previous one, where Go represents the attack on the encryption scheme, 
and G 5 is a certain attack in which an adversary obviously has no advantage. 
Shoup bounds |Pr[5i_i] — Pr[S'i]| for 1 < z < 5, where Pr[S'i] is an adversary’s 
probability of success in game Gj, thereby bounding an adversary’s advantage 
in Gq. To reduce space, our proof draws heavily from Shoup’s proof. 

In game Gi , the decryption oracle decrypts ciphertext Ci as usual, recovering 
s'^,s'- ,ti,ri, and Mi in the process. The decryption oracle is identical to Go (e.g., 
it can find modular square roots) except that the decryption oracle in Gi rejects 
whenever is not on its G-list. Let Fi be the event that a ciphertext rejected in 
Gi would not have been rejected in Go. Consider a ciphertext c yf c* submitted 
to the decryption oracle. If r = r* and M = M*, then since there is only a 
single legitimate ciphertext generated from r* and M* (recall that we use r 
as the random bits in the tt quasi-bijection), Go would also have rejected. Our 
analysis of the case of r* or Mi y^ M* is identical to Shoup’s, leading to 
the conclusion that |Pr[S'o] — Pr[S'i]| < ( 7 d/ 2 ^L 

In game G 2 , the decryption oracle is identical to that of Gi, except it rejects 
when Si is not on its iL-list. Let F 2 be the event that a ciphertext rejected in G 2 
would not have been rejected in G\. For ciphertext Ci yf c* with Si not on the 
iL-list, we consider two cases: 

Case 1: Si = s*. Now, Si = s* and Ci y^ c* implies C yf t* (again because we 
made tt deterministic given r) . Shoup’s remaining analysis of this case also works 
for our situation. 

Case 2: Si ^ s* . Our analysis here is again identical. 

Like Shoup, we obtain |Pr[5i] — Pr[S' 2 ]| = Pr[p 2 ] < qn' + qDqG/‘^^°- 

In game G 3 the decryption oracle does not have access to a trapdoor, but 
instead maintains a ciphertext-list. After receiving an iJ'-query (rj, Mi), it com- 
putes all possible values of x' = 'KN,h,h'{si\\ti,ri) and c, = x'C — h{modN). It 
logs these ciphertexts in its ciphertext-list. Shoup’s probability analysis applies 
to our case: Pr[S' 2 ] = Prig's]. His time-complexity analysis also applies: over the 
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course of G 3 , the decryption oracle’s complexity is , qH))Tf + {qc + 

qw + qn + qo) logN), where T/ is the complexity of the encryption function. 

Game G4, in which Shoup replaces the original random oracles with different 
but identically distribute variables, also works in our case. (See [31] for details 
of G4.) Note the new encryption oracle in G4 is identically distributed to the old 
one, even though “/” is not a permutation in our case, since Shoup’s changes 
only affect /’s input, not / itself. Pr[S'3] = Pr[S'4j. 

Game G5 is the same as G3 (we skipped describing G4) except that the 
encryption oracle chooses random strings G {0, 1}^° and g~^ G {0, 1}™, and 
it uses these values in the computation of the ciphertext, as described in [31]. 
Since (/+ is only used to mask M*, Pr[55] = Like Shoup, we also obtain in 
our case that Pr[S'4] — Pr[S'5] < Pr[F5], where P5 is the event that A queries 
G at r* . However, our proofs finally diverge significantly at this point. Shoup 
describes an auxiliary game Gg in which the encryption oracle is modified again 
to simply output a random number c~^ in the ciphertext space (in our case, 
BN,h,h' n [0, N/2)), and then he uses the fact that, for a permutation, c+ comes 
from a distribution identical to c*. We cannot do this, since the tt quasi-bijection 
chooses from ^ n [0, N/2) - and thus from the ciphertext space - only quasi- 
uniformly. 

Instead, we define our as f{w) for w G {0,1}" chosen randomly with 
uniform distribution, and (as always) r* and s* are defined with respect to this 
ciphertext. Then, for reasons analogous to those used by Shoup, if we define F/ 
to be the event that A queries G at r* in game Gg, we have Pr[p5] = Pr[T’g]. 
Letting F/' be the event that A queries F[ at s* in game Gg, we have that 
Pr[F'] = Pr[T’' A F"] + Pr[F' A -F"]. 

Now, we claim that, if tt is an {h,l 2 , h, h) quasi-bijection, then Pr[Fg AFg'] < 
j^Adv(,8). For brevity, denote the probability Pr[F5AFg'|u;'] - i.e., the probability 
Fg and Fg' occur given the value w' = TTN,h,h'{w,‘>') for w as chosen above - by 
Pw', where w' will be treated as a random variable. Notice that, for any w' , 
there exists a v' such that w'“^ = u'^(modfV) and gcd{w' ,v/N) is a nontrivial 
factor of in fact, we can “pair off’ the numbers in BM,h,h', so that each w' 
corresponds to exactly one v' . Suppose that r" G (0, 1}^” and s" G (0, l}"*+'=i 
correspond to v' . If A queries r" G (0, 1}^“ and s” G (0, l}™+^i (which occurs 
with probability F„/), then B can use w' = f{w) to find a nontrivial factor of N 
by taking every pair Vi, Si queried by A, deriving the corresponding t" , computing 
x" = TTN,h,hi{si\\ti), and checking whether gcd{x" ,w' ,N) is a nontrivial factor. 

Overall, we have that Pr[Fg AFg'] = Pr[Fg A Fg'|w']- Pr[w']. This proba- 
bilility is less than Pr[Fg A Fg'lw']- Pr[u'] by quasi-uniformity, where each 

w' is paired off with a v' that gives a nontrivial factor. However, the probability 
Pr[Fg A Fg'|w']- Pr[F] is less than B's probability of success, which proves 
the claim. 

For the same reason as in [31], Pr[Fg A^Fg'] < qa/2^° . Thus, we get Pr[Fg] < 
j^Adv(,8) -I- qG/2/^° ■ Gollecting all of the results, we get the time and complexity 
stated in the theorem. 
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Abstract. In this paper, we stndy the bounded sum-of-digits discrete 
logarithm problem in finite fields. Our results concern primarily with 
fields Fq*i where n\q — 1. The fields are called Kummer extensions of Fq. 
It is known that we can efficiently construct an element g with order 
greater than 2" in the fields. Let Sq{») be the function from integers 
to the sum of digits in their g-ary expansions. We first present an algo- 
rithm that given (0 < e < g" ) finds e in random polynomial time, 
provided that Sq{e) < n. We then show that the problem is solvable in 
random polynomial time for most of the exponent e with Sq{e) < 1.32n, 
by exploring an interesting connection between the discrete logarithm 
problem and the problem of list decoding of Reed-Solomon codes, and 
applying the Guruswami-Sudan algorithm. As a side resnlt, we obtain a 
sharper lower bonnd on the nnmber of congruent polynomials generated 
by linear factors than the one based on Stothers-Mason ABC-theorem. 
We also prove that in the field F^q-i, the bounded snm-of-digits dis- 
crete logarithm with respect to g can be compnted in random time 
0(/(tt)) log^(g'^“^)), where / is a snbexponential function and w is the 
bound on the g-ary sum-of-digits of the exponent, hence the problem is 
fixed parameter tractable. These results are shown to be generalized to 
Artin-Schreier extension FpP where p is a prime. Since every finite field 
has an extension of reasonable degree which is a Kummer extension, onr 
resnlt reveals an nnexpected property of the discrete logarithm problem, 
namely, the bonnded sum-of-digits discrete logarithm problem in any 
given finite field becomes polynomial time solvable in certain low degree 
extensions. 



1 Introduction and Motivations 

Most of practical public key cryptosystems base their security on the hardness 
of solving the integer factorization problem or the discrete logarithm problem 
in finite fields. Both of the problems admit subexponential algorithms, thus we 
have to use long parameters, which make the encryption/decryption costly if 
the parameters are randomly chosen. Parameters of low Hamming weight, or 
more generally, of small sum-of-digits, offer some remedy. Using them speeds 
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up the system while seeming to keep the security intact. In particular, in the 
cryptosystem based on the discrete logarithm problem in finite fields of small 
characteristic, using small sum-of-digits exponents is very attractive, due to the 
existence of normal bases [1] . It is proposed and implemented for smart cards and 
mobile devices, where the computing power is severely limited. Although attacks 
exploring the specialty were proposed [14], none of them have polynomial time 
complexity. 

Let Fgn be a finite field. For j3 G F^n, if (3 , , ■ ■ ■ ^ form a linear 

basis of Fgn over F^, we call them a normal basis. It is known that a normal 
basis exists for every pair of prime power q and a positive integer n [11, Page 
29]. Every element a in Fgn can be represented as 

a = aof3 + ai/3^ H h an-if3'^ 

where ai G F^ for 0 < f < n — 1. The power of g is a linear operation, thus 
= ao/3'^ H h ^ + a„_i/3. 

Hence to compute the g-th power, we only need to shift the digits, which can be 
done very fast, possibly on the hardware level. Let e be an integer with g-ary 
expansion 

e = eo + eig + C 2 g^ H + e„_ig"“^ (0 < e* < g for 0<z<n— 1). (1) 

The sum-of-digits of e in the g-ary expansion is defined as Sq{e) = 

When g = 2, the sum-of-digits becomes the famous Hamming weight. To com- 
pute a®, we only need to do shiftings and at most Sq{e) many of multiplications. 
Furthermore, the exponentiation algorithm can be parallelized, which is a prop- 
erty not enjoyed by the large characteristic fields. For details, see [16]. 

1.1 Related Work 

The discrete logarithm problem in finite field F^n , is to compute an integer e such 
that g' = g®, given a generator g of a subgroup of F*„ and g' in the subgroup. 
The general purpose algorithms to solve the discrete logarithm problem are the 
number field sieve and the function field sieve (for a survey see [13]). They have 
time complexity 

exp(c(log g”)^/^(log log g")^^^) 

for some constant c, when g is small, or n is small. 

Suppose we want to compute the discrete logarithm of g® with respect to 
base g in the finite field F^n . If we know that the Hamming weight of e is equal 
to w, there is an algorithm proposed by Coppersmith (described in [14]), which 
works well if w is very small. It is a clever adaption of the baby-step giant- 
step idea, and runs in random time 0(-y/w(^*°l^'^2j^'^))- i® proved in [14] that 
the average-case complexity achieves only a constant factor speed-up over the 
worst case. It is not clear how his idea can be generalized when the exponent 
has small sum-of-digits in the base g > 2. However, we can consider the very 
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special case where G {0, 1} for 0 < i < n — 1 and X)o<i<n-i = LfJ- 

Recall that eds are the digits of e in the g-ary expansion. It can be verified 
that Coppersmith’s algorithm can be applied in this case. The time complexity 
becomes 0(-y/n([”/4j))- If g < it is much worse than the time complexity 

of the function field sieve on a general exponent. 

If the g-ary sum-of-digits of the exponent is bounded by w, is there an algo- 
rithm which runs in time f{w) log'’’(g”) and solves the discrete logarithm problem 
in Fqn , for some function / and a constant c? A similar problem has been raised 
from the parametric point of view by Fellows and Koblitz [10], where they con- 
sider the prime finite fields and the bounded Hamming weight exponents. Their 
problem is listed among the most important open problems in the theory of 
parameterized complexity [9]. From the above discussions, it is certainly more 
relevant to cryptography to treat the finite fields with small characteristic and 
exponents with bounded sum-of-digits. 

Unlike the case of the integer factorization, where a lot of special purpose 
algorithms exist, the discrete logarithm problem is considered more intractable 
in general. As an example, one should not use a RSA modulus of about 1000 bits 
with one prime factor of 160 bits. It would be vulnerable to the elliptic curve 
factorization algorithm. However, in the Digital Signature Standard, adopted by 
the U.S. government, the finite field has cardinality about 2^^^^ or larger, while 
the encryption/decryption is done in a subgroup of cardinality about As 
another example, one should search for a secret prime as random as possible in 
RSA, while in the case of the discrete logarithm problem, one may use a finite 
field of small characteristic, hence the group of very special order. It is believed 
that no trapdoor can be placed in the group order, as long as it has a large 
prime factor (see the panel report on this issue in the Proceeding of Eurocrypt 
1992). In order to have an efficient algorithm to solve the discrete logarithm, 
we need that every prime factor of the group order is bounded by a polynomial 
function on the logarithm of the cardinality of the field. Given the current state 
of analytic number theory, it is very hard, if not impossible, to decide whether 
there exists infinitely many finite fields of even (or constant) characteristic, where 
the discrete logarithm can be solved in polynomial time. 

In summary, there are several common perceptions about the discrete loga- 
rithm problem in finite fields: 

1. As long as the group order has a big prime factor, the discrete logarithm 
problem is hard. We may use exponents with small sum-of-digits, since the 
discrete logarithm problem in that case seems to be fixed parameter in- 
tractable. We gain advantage in speed by using bounded sum-of-digits ex- 
ponents, and at the same time keep the problem as infeasible as using the 
general exponents. 

2. If computing discrete logarithm is difficult, it should be difficult for any 
generator of the group. The discrete logarithm problem with respect to one 
generator can be reduced to the discrete logarithm problem with respect 
to any generator. Even though in the small sum-of-digits case, a reduction 
is not available, it is not known that changing the generator of the group 
affects the hardness of the discrete logarithm problem. 
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1.2 Our Results 

In this paper, we show that those assumptions taken in combination are incor- 
rect. We study the discrete logarithm problem in large multiplicative subgroups 
of the Kummer and Artin-Schreier extensions with a prescribed base, and prove 
that the bounded sum-of-digits discrete logarithm are easy in those groups. More 
precisely we prove constructively: 

Theorem 1. (Main) There exists a random algorithm to find the integer e given 
g and in F^n in time polynomial in log(( 7 ”) under the conditions: 

1. n\q — 1; 

0 < e < g", and Sq{e) < n; 

3. g = a + b where Fg(a) = F^n, 6 G F* and a" G F^. 

Moreover, there does not exist an integer e' yf e satisfying that 0 < e' < g”, 
Sq(e') < n and g® = g® 

The theorem leads directly to a parameterized complexity result concerning 
the bounded sum-of-digits discrete logarithm, which answers an important open 
question for special, yet non-negligibly many, cases. 

Corollary 1. There exists an element g of order greater than 2‘^ in F*,_i, such 
that the discrete logarithm problem with respect to the generator g can be solved 
in time f{w) log^(g'^“^), where f is a subexponential function and w is the bound 
of the sum-of-digits of the exponent in q-ary expansion. 

A few comments are in order: 

— For a finite field F^n, if n|g — 1, then there exists g G F^n satisfying the 
condition in the theorem, in the other words, there exists an irreducible 
polynomial of form x” — a (a G F^) over F^; if there exists a such that 
Fg(a) = Fgn and a” G Fg, then n|g — 1. 

— As a comparison. Coppersmith’s algorithm runs in exponential time in the 

case where G {0, 1} for 0 < z < n — 1, Sq{e) = and g < while our 

algorithm runs in polynomial time in that case. On the other hand. Copper- 
smith’s algorithm works for every finite field, while our algorithm works in 
Kummer extensions. Our result has an indirect affect on an arbitrary finite 
field though, since every finite field has extensions of degree close to a given 
number, which are Kummer extensions. As an example, suppose we want 
to find such an extension of Fg with degree about log^ g. We first pick a 
random n close to log g such that (n, g) = 1. Let I be the order of g in Z/nZ. 
The field F(gi)n is a Kummer extension of Fgi, and an extension of Fg. Ac- 
cording to Theorem 1, there is a polynomial time algorithm which computes 
the discrete logarithm to some element g in Fgin provided that the sum- 
of-digits of the exponent in the g^-ary expansion is less than n. Hence our 
result reveals an unexpected property of the discrete logarithm problem in 
finite fields: the difficulty of bounded sum-of-digits discrete logarithm prob- 
lem drops dramatically if we move up to extensions and increase the base of 
the exponent accordingly. 
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— Numerical evidences suggest that the order of g is often equal to the group 
order g” — 1, and is close to the group order otherwise. However, it seems 
hard to prove it. In fact, this is one of the main obstacles in improving the 
efficiency of AKS-style primality testing algorithm [2] . We make the following 
conjecture. 

Conjecture 1 . Suppose that a finite field F^n and an element g in the field 
satisfy the conditions in Theorem 1. In addition, n > logg. The order of g 
is greater than g”/'^ for an absolute constant c. 

— Even though we can not prove that the largest prime factor of the order of g 
is very big, it seems, as supported by numerical evidences, that the order of 
g, which is a factor of g" — 1 bigger than 2”, is rarely smooth. For instance, 
in the F2889 = F 123127, any g generates the whole group F2889. The order 
2889 _ 2^ contains a prime factor of 749 bits. One should not attempt to apply 
the Silver-Pohlig-Hellman algorithm here. 

A natural question arises: can the restriction on the sum-of-digits in Theo- 
rem 1 be relaxed? Clearly if we can solve the problem under condition Sq{e) < 
(g — l)n in polynomial time, then the discrete logarithm problem in subgroup 
generated by g is broken. If g is a generator of F*„ , then the discrete logarithm 
problem in F^n and any of its subfields to any base are broken. We find a sur- 
prising relationship between the relaxed problem and the list decoding problem 
of Reed-Solomon codes. We are able to prove: 

Theorem 2. Suppose e is chosen randomly from the set 

{0 < e < g" — l|S'q(e) < 1.32n}. 

There exists an algorithm given g and g® in F^n , to find e in time polynomial in 
log(g"), with probability greater than 1 — c“” for some constant c greater than 
1 , under the conditions: 

1 . n\q — 1; 

2 . g = a + b where Fg(a) = F^n, 6 G F* and a" G F^. 

Given a polynomial ring ¥ q[x] / {h{x)) , it is an important problem to deter- 
mine the size of multiplicative subgroup generated by a; — si, a: — S2, • • • ,x — Sn 
where (si,S2,--- , Sn) = S' is a list of distinct elements in F^, and for all i, 
h{si) yf 0. The lower bound of the order directly affects the time complex- 
ity of AKS-style primality proving algorithm. In that context, we usually have 
deg h{x)\n. Assume that deg h{x) = n. For a list of integers E = (ei, 62, • • • , e„), 
we denote 

(a; - si)®i (a; - 82^" ■ ■ ■ (x - s„fi" 

by {x — S)^. One can estimate the number of distinct congruent polynomi- 
als of form (x — S)'® modulo h{x) for E in certain set. It is obvious that if 
E G {(ei,e2,--- ,e„)\'^ei < n — l,ei > 0}, then all the polynomials are in 
different congruent classes. This gives a lower bound of 4". Through a clever 




206 Qi Cheng 



use of Stothers-Mason ABC-theorem, Voloch [15] and Berstein [5] proved that 
< l.ln, then at most 4 such polynomials can fall in the same congruent 
class, hence obtained a lower bound of 4.27689". We improve their result and 
obtain a lower bound of 5.17736". 

Theorem 3. Use the above notations. Let C he 

n 

{(ei, 62 , • • • , e„)|ei > 0 for 1 < i < n, ^ a < 1.5501n, |{i|ei ^ 0}| = [0.7416nJ }. 

i=l 

If there exist pairwise different element Ei,E 2 , - ■ ■ , Em G C such that 

(x — = (x — = ■ ■ ■ = (x — S)^’^ (mod h{x)), 

then m = 0{n^). Note that \C\ = 5.17736"n®^^^ 

By allowing negative exponents, Voloch [15] obtained a bound of 5.828". Our 
bound is smaller than his. However, starting from [S'] = 2deg h{x), our method 
gives better bounds. Details are left in the full paper. A distinct feature of our 
bound is that it relates to the list decoding algorithm of Reed-Solomon codes. 
If a better list decoding algorithm is found, then our bound can be improved 
accordingly. 

1.3 Organization of the Paper 

The paper is organized as follows. In Section 2, we list some results of counting 
numbers with small sum-of-digits. In Section 3, we present the basic idea and 
the algorithm, and prove Theorem 1 and Corollary 1. In Section 4, we prove 
Theorem 2 and Theorem 3. In Section 5, we extend the results to Artin-Schreier 
extensions. We conclude our paper with discussions of open problems. 

2 Numbers with Small Sum-of-Digits 

Suppose that the g-ary expansion of a positive integer e is 

2 n— 1 

e = Co + eiq + C 2 q + • • • + e„_ig , 

where 0 < < g — 1 for all 0 < z < n — 1 . How many nonnegative integers e less 

than g" satisfy Sq{e) = wl Denote the number by N{w,n,q). Then N{w,n,q) 
equals the number of nonnegative integral solutions of 

n—1 

y^^e^ = w 

i^O 

under the conditions that 0 < Cj < g — 1 for all 0 < z < n — 1. The generating 
function for N{w,n,q) is 

(1 + :r + • • • + ^ N{i, zz, q)x\ 

i 

If w < g — I, then the conditions < g — I can be removed, we have that 
N{w, n, g) = . It is easy to see that if g = 2, we have that N{w, n, 2) = 

(^2) ■ In tliG later section, we will need to estimate N (w, n, g), where w is n times 
a small constant less than 2. Since 
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{l + x + --- + x^~Y 

1 q’Q 

I — X 

oo 

= (1-:tTE 

2q-l 

= (1 -na;«) E 



2=0 



q-1 

-E 

2=0 



i n — 1 
n — I 



i n — 1 
n — 1 

i n — 1 
n — 1 

2q-l 



E( 



x* (mod x^‘^) 



i + n — 1 
n — 1 



i — q + n — 1 
n — 1 



)x’‘ (mod x’^'^) 



Hence N{w,n,q) = ^U<w<2q. 



3 The Basic Ideas and the Algorithm 

The basic idea of our algorithm is adopted from the index calculus algorithm. Let 
Fqn be a Kummer extension of Fg, namely, n\q — 1. Assume that q = p'^ where 
p is the characteristic. The field F^n is usually given as Fp[a;]/(u(a;)) where u{x) 
is an irreducible polynomial of degree dn over Fp. li g satisfies the condition in 
Theorem 1, then a;” — a” must be an irreducible polynomial over F^. Denote 
a” by a. To implement our algorithm, it is necessary that we work in another 
model of F^n, namely, Fq[a;]/(a;" — a). Fortunately the isomorphism 

V' : Fp[y]/{u{y)) F,n = Fja;]/(a;" - a) 

can be efficiently computed. To compute tp{v{y)), where v{y) is a polynomial 
of degree at most dn — 1 over Fp, all we have to do is to factor u{y) over 
Fq[x]/{x'^ — a), and to evaluate v{y) at one of the roots. Factoring polynomials 
over finite fields is a well-studied problem in computational number theory, we 
refer to [3] for a complete survey of results. The random algorithm runs in 
expected time 0{dn{dn + log q'^){dn\ogq'^Y), and the deterministic algorithm 
runs in time 0{dn{dn + q){dnlogq'^)^). From now on we assume the model 
Fq[x]/{x'^ -a). 

Consider the subgroup generated hy g = a + b in {Fq[x]/{x^ — a))*, recall 
that b G F* and a = x (mod a;” — a). The generator g has order greater than 

2” [8], and has a very nice property as follows. Denote by h, we have 
g^ = {a + b)^ = + b = a + b = ha + b, 

and more generally 

{a + by = a‘^ + b = h^a + b. 

In other words, we obtain a set of relations: log^_^_f,{h^ a + b) = g* for 0 < 
z < n — 1. This corresponds to the precomputation stage of the index calculus. 
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The difference is that, in our case, the stage finishes in polynomial time, while 
generally it requires subexponential time. For a general exponent e. 



(a + 6)" = + ' 

= {a + by°{ha + by^ a + by* ■■■{h'^-^a + by-\ 

If /(a) is an element in Fg«, where / G Fq[a;] is a polynomial of degree less 
than n, and /(a) = (a + by and S'q(e) < n, then due to unique factorization 
in Fg[x], f{x) can be completely split into the product of linear factors over F^. 
We can read the discrete logarithm from the factorizations, after the coefficients 
are normalized. The algorithm is described as follows. 

Algorithm 1 Input: g, g** in F^n = Fg[a;]/(a;” — a) satisfying the conditions in 
Theorem 1. 

Output: e. 

1. Define an order in F^ (for example, use the lexicographic order). Compute 
and sort the list (1, h, h"^, h^, - ■ ■ , 

2. Suppose that g** is represented by f{a), where f G Fg[x] has degree less 
than n. Factoring f{x) over F^, let f{x) = c{x + d\Y* • ■ ■ {x + duy** where 
c, di , • • • ,dk are in F^ . 

3. (Normalization) Normalize the coefficients and reorder the factors of f{x) 
such that their constant coefficients are b and f{x) = (a; + by* • • • {hn-ix + 
by^-* , where hi = N; 

4 . Output eo + eiq -\ + 

The step 1 takes time 0{n log^ q log n + n log n log q) = 0{n log n log^ q) . The 
most time-consuming part is to factor a polynomial over F^ with degree at most 
n. The random algorithm runs in expected time 0{n{n + log< 7 )(nlog( 7 )^) and 
the deterministic algorithm runs in time 0(n(n + q){nlogqy) = 0{n^qlog^ q). 
Normalization and reordering can be done in time O(nlognlogg), since we have 
a sorted list of {l,h,hf ,hf ,■ ■ ■ Thus the algorithm can be finished in 

random time 0(n(n -I- log( 7 )(nlogg)^) and in deterministic time OyYqlog^ q). 
This concludes the proof of the main theorem. 

Now we are ready to prove Corollary 1. Any f{x) where f{a) = (a -I- by G< 
a -I- 6 >C F^,-i is congruent to a product of at most w = Sq{e) linear factors 
modulo x'^~^ —a.lfw < q— 1, we have an algorithm running in time 0{q^ log^ q), 
according to Theorem 1. So we only need to consider the case when w > q — 1. 
The general purpose algorithm will run in random time f(logq*‘~^), where / 
is a subexponential function. Theorem 1 follows from the fact that logq'^~^ < 
wlogw. 

4 The Application of the List Decoding Algorithm 
of Reed-Solomon Codes 

A natural question arises: can we relax the bound on the sum-of-digits and 
still get a polynomial time algorithm? Solving the problem under the condition 
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Sq{e) < {q — l)n basically renders the discrete logarithm problems in F^n and 
any of its subfields easy. Suppose that g® = /(a) where f{x) £ Fg[a;] has degree 
less than n. Using the same notations as in the previous section, we have 

/(a) = (a + by° {ha + by^ ■ ■ ■ + 6 )®"“^ . 

Hence there exists a polynomial t{x) with degree ^2^=0 ~ ^ such that 

f{x) + (x” - a)t{x) = {x + by°{hx + 6 )®^ • • • {h'^-^x + 



If the cardinality of {i\ei y 0} is greater than k then the curve y = t{x) will pass 
at least k points in the set 






/(O 

— a 



)|z G {-b, 



6 

h' 




To find all the polynomials of degree d = ^^2=0 ~ which pass at least k 

points in a given set of n points, is an instance of the list decoding problem of 
Reed-Solomon codes. It turns out that there are only a few of such polynomials, 
and they can be found efficiently as long as fc > Vnd- 

Proposition 1. ( Guruswami- Sudan [12] ) Given n distinct elements xq, xi, - • ■ , 
Xn-i G Fg, n values yo,yi,--- ,yn-i G Fg and a natural number d, there are 
at most 0(V n^d) many univariate polynomials t{x) G Fg[a;] of degree at most d 
such that yi = t{xi) for at least Vnd many points. Moreover, these polynomials 
can he found in random polynomial time. 

For each t{x), we use the Cantor-Zassenhaus algorithm to factor f{x) + (a;” — 
a)t{x). There must exist a t{x) such that the polynomial f {x) + {x"^ — a) M{x) can 
be completely factored into a product of linear factors in {h'‘x + b\D < i < n — 1}, 
and e is computed as a consequence. 



4.1 The Proof of Theorem 2 

In this section, we consider the case when Sq{e) < I.32n. If there are at least 
0.5657n > V^^ ■ n number of nonzero e/s, then we can apply the Guruswami- 
Sudan algorithm to find all the t{x). In order to prove Theorem 2, it remains to 
show: 

Lemma 1. Define as 

{(ei, 62 , • • • , e„) I ei + 62 + • • • + e„ < 1.32n, Ci G Z and 0 < Ci < g— 1 for 1 < i < n.} 
and Bn as 

{(ei, 62 , • • • , e„) I |{z|e* V 0}| < 0.5657rz}. 

We have 

\An,q n Bn\ 

l^n.,1 

for some constant c > 1 when n is sufficiently large. 
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Proof. The cardinality of An,q is N{i,n,q) > > 4.883987...”. 

The cardinality of is less than I]”=[o.5657n] (”) in-v-i) ■ summands 

maximize at u = 0.5657n if r; > 0.5657n. Hence we have 




< 4.883799...” 



This proves the lemma with c = 4. 883987. ../4. 883799... > 1. 



4.2 The Proof of Theorem 3 

Proof. Let t be a positive real number less than 1. Define 

Cl + 62 + • • • + e„ = [(1 + r )nj , Cj G Z 
Cn,q,T = {(ei, 62, • • • , e„) I and Q < Ci < q — 1 for l<z<n } 

and |{z|e* yf 0}| = [y/fn\ 

Given f{x) e Fq[a^], if there exists E G Cn,q,r, such that {x — S)^ = f{x) 
(mod h{x)), there must exist a polynomial t{x) such that {x — S)^ = t{x)h{x) + 
f{x), and t{x) is a solution for the list decoding problem with input {(s, — 

G S'}. According to Propostion 1, there are at most O(zz^) solutions. Thus the 
number of congruent classes modulo h{x) that {(a; — S)^\E G Cn,q,r} has is 
greater than fl{\Cn,q,T\/n^). We have 




/ n \ /(l + r)n\ 

\y/fn) V Vrn ) 

(l + r)^+” 

rv^(l - Vr)i-v^(l + r - 



It takes the maximum value 5.17736...” at t = 0.5501. 



5 Artin-Schreier Extensions 

Let p be a prime. The Artin-Schreier extension of a finite field Fp is FpP. It is 
easy to show that — a: — a = 0 is an irreducible polynomial in Fp for any 
a G Fp. So we may take FpP = Fp[a;]/(a;^ — x — a). Let a = x (mod x^ — x — a). 
For any 6 G Fp, we have 

(a -I- b)^ = a^ + b = a + b+a, 

and similarly 

{a + b)P = oP -I- & = a -I- 6 -I- za. 
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Hence the results for Kummer extensions can be adopted to Artin-Schreier ex- 
tensions. For the subgroup generated by a -I- 6, we have a polynomial algorithm 
to solve the discrete logarithm if the exponent has p-ary sum-of-digits less than 
p. Note that b may be 0 in this case. 

Theorem 4. There exists an algorithm to find the integer e given g and g^ in 
Fpp in time polynomial in logp^ under the conditions: 

1. 0 < e < pP , and Sqie) < p — 1; 

2. g = a + b where Fp(a) = FpP, 6 G Fp and + a G F*. 

Moreover, there does not exist an integer e' ^ e satisfying that 0 < e' < p^ , 
Sq(e') < n and p® = p®. 

Theorem 5. There exists an element g of order greater than 2^ in F*p, such 
that the discrete logarithm problem with respect to g can he solved in time 
0(/(w)(logp^)^), where f is a suhexponential function and w is the hound of 
the sum-of-digits of the exponent in the p-ary expansion. 

Theorem 6. Suppose that g = a-\-b, where Fp(a) = FpP, 6 G Fp and -\- a & 
Fp. Suppose e is chosen in random from the set 

{0 < e < p" — l|S'q(e) < 1.32n}. 

There exists an algorithm given g and p® in FpP , to find e in time polynomial in 
log(p^), with probability greater than 1 — c“" for some constant c greater than 1. 



6 Concluding Remarks 

A novel idea in the celebrated AKS primality testing algorithm, is to construct a 
subgroup of large cardinality through linear elements in finite fields. The subse- 
quent improvements [6, 7,4] rely on constructing a single element of large order. 
It is speculated that these ideas will be useful in attacking the integer factor- 
ization problem. In this paper, we show that they do affect the discrete loga- 
rithm problem in finite fields. We give an efficient algorithm which computes 
the bounded sum-of-digits discrete logarithm with respect to prescribed bases 
in Kummer extensions. We believe that this is more than a result which deals 
with only special cases, as every finite field has extensions of reasonable degrees 
which are Kummer extensions. For instance, if we need to compute the discrete 
logarithm of s in Fg base p, we can construct a suitable Kummer extention Fg*i, 
and try to solve the discrete logarithms of a and p with respect to a selected base 
in the extension. This approach is worth studying. Another interesting problems 
is to further relax the restriction on the sum-of-digits of the exponent. It is also 
important to prove or disprove Conjecture 1. If that conjecture is true, the AKS- 
style primality proving can be made compatible or even better than ECPP or 
the cyclotomic testing in practice. 
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Abstract. We address one of the most fundamental problems concern- 
ing the RSA cryptoscheme: Does the knowledge of the RSA public key/ 
secret key pair (e, d) yield the factorization of N = pq in polynomial 
time? It is well-known that there is a probabilistic polynomial time algo- 
rithm that on input {N, e, d) outputs the factors p and q. We present the 
first deterministic polynomial time algorithm that factors N provided 
that e,d < </(A) and that the factors p, q are of the same bit-size. Our 
approach is an application of Coppersmith’s technique for finding small 
roots of bivariate integer polynomials. 

Keywords: RSA, Coppersmith’s method 



1 Introduction 

One of the most important tasks in public key cryptography is to establish the 
polynomial time equivalence of 

— the problem of computing the secret key from the public information to 

— a well-known hard problem P that is believed to be computational infeasible. 

This reduction establishes the security of the secret key under the assumption 
that the problem P is computational infeasible. On the other hand, such a re- 
duction does not provide any security for a public key system itself, since there 
might be ways to break a system without computing the secret key. 

Now let us look at the RSA scheme. We briefly define the RSA parameters: 
Let N = pq he a, product of two primes of the same bit-size. Furthermore, let e, d 
be integers such that ed = 1 mod 4>{N), where (j>{N) is Euler’s totient function. 

For the RSA scheme, we know that there exists a probabilistic polynomial 
time equivalence between the secret key computation and the problem of fac- 
toring the modulus N. The proof is given in the original RSA paper by Rivest, 
Shamir and Adleman [9] and is based on a work by Miller [8]. 

In this paper, we present a deterministic polynomial time algorithm that on 
input (V, e, d) outputs the factors p, q, provided that p and q are of the same 
bit-size and that 

ed < N^. 

M. Franklin (Ed.): CRYPTO 2004, LNCS 3152, pp. 213-219, 2004. 
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In the normal RSA-case we have e, (i < 4>{N), since e,d are defined modulo 
4>{N). This implies that ed < N'^ as required. Thus, our algorithm establishes the 
deterministic polynomial time equivalence between the secret key computation 
and the factorization problem in the most common RSA case. We reduce the 
problem of factoring N to the problem of computing d, the reduction in the 
opposite direction is trivial. 

Our approach is an application of Coppersmith’s method [4] for finding small 
roots of bivariate integer polynomials. We want to point out that some crypt- 
analytic results [1,2] are based on Coppersmith’s technique for solving modular 
bivariate polynomial equations. In contrast to these, we make use of Copper- 
smith’s algorithm for bivariate polynomials with a small root over the integers. 
Therefore, our result does not depend on the usual heuristic for modular multi- 
variate polynomial equations but is rigorous. 

To the best of our knowledge, the only known application of Coppersmith’s 
method for bivariate polynomials with a root over the integers is the so-called 
“factoring with high bits known” [4]: Given half of the most significant bits of 
p, one can factor N in polynomial time. Howgrave-Graham [6] showed that this 
problem can be solved alternatively using an univariate modular approach (see 
also [5]). 

Since our approach directly uses Coppersmith’s method for bivariate integer 
polynomials, the proof of our reduction is brief and simple. 

The paper is organized as follows. First, we present in Sect. 2 a deterministic 
polynomial time algorithm that factors N on input {N, e, d) provided that ed < 

. This more restricted result is interesting, since RSA is frequently used with 
small e in practice. Additionally, we need only elementary arithmetic in order to 
prove the result. As a consequence, the underlying algorithm has running time 
C>(log^ N). 

Second, we show in Sect. 3 how to improve the previous result to the desired 
bound ed < N'^ by applying Coppersmith’s method for solving bivariate integer 
polynomials. We conclude by giving experimental results in Sect. 4. 

3 

2 An Algorithm for ed < 

In this work, we always assume that is a product of two different prime factors 
p, q of the same bitsize, wlog p < q. This implies 

p < < q <2p < 2Ni. 

We obtain the following useful estimates: 

p + q < 3 A 2 and ^(A) = N + 1 — {p + q) > ^ A. 

Let us denote by \k~\ the smallest integer greater or equal to k. Furthermore, we 
denote by the ring of invertible integers modulo (j){N). 
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In the following theorem, we present a very efficient algorithm that on input 
(N,e,d) outputs the factors of N provided that ed< . 

Theorem 1 Let N = pq be an RSA-modulus, where p and q are of the same 
bit-size. Suppose we know integers e, d with ed > 1, 

ed=lmod(f){N) and ed<N^. 

Then N can be factored in time 0(log^ N). 

Proof: Since ed = 1 mod 4>{N), we know that 

ed = 1 + k(j){N) for some A: G N. 

Next, we show that k can be computed up to a small constant for our choice of 
e and d. Therefore, let us define k = as an underestimate of k. We observe 
that 

~ ed — 1 ed — 1 

N{ed — 1) — {N — p — q-\- l)(ed — 1) 

^ 4){N)N 

^ (p + g- l)(ed- 1) 

(j){N)N 

Using the inequalities p q — 1 < and (j){N) > ^N, we conclude that 

k — k < 6N~^ {ed — 1). (1) 

Since ed < Ni , we know that k — k < 6. Thus, one of the six values k + z, 
i = 0, 1, ... 5 must be equal to k. We test these six candidates successively. For 
the right choice k, we can compute 

A 7 1 1 - ed 

IV + IH — = p-\- q. 

fz 

From the value p + g, we can easily find the factorization of N . 

Our approach uses only elementary arithmetic on integers of size log(A^). 
Thus, the running time is 0(log^ N) which concludes the proof of the theorem. 0 



3 The Main Result 

In this section, we present a polynomial time algorithm that on input {N^ e, d) 
outputs the factorization of N provided that ed < . This improves upon the 

result of Theorem 1. However, the algorithm is less efficient, especially when we 
get close to the bound 7V^. 

Our approach makes use of the following result of Coppersmith [4] for finding 
small roots of bivariate integer polynomials. 
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Theorem 2 (Coppersmith) Let f{x,y) be an irreducible polynomial in two 
variables over Z, of maximum degree 6 in each variable separately. Let X, Y be 
bounds on the desired solution (xo,yo). Let W be the absolute value of the largest 
entry in the coefficient vector of f{xX,yY). Lf 

XY < 

then in time polynomial in log IT and 2^ we can find all integer pairs (xo,yo) 
with f{xo,yo) = 0, |xo| < ^ and \yo\ < Y. 

Now, let us prove our main theorem. 

Theorem 3 Let N = pq be an RSA-modulus, where p and q are of the same 
bit-size. Suppose we know integers e, d with ed > 1, 

ed= 1 mod 4>{N) and ed < N'^. 

Then N can be factored in time polynomial in the bit-size of N. 

Proof: Let us start with the equation 

ed = 1 + k(j){N) for some A: G N. (2) 

Analogous to the proof of Theorem 1, we define the underestimate k = of 
k. Using (1), we know that 

k — k< 6N~^{ed — 1) < . 

Let us denote x = k — k. Therefore, we have an approximation k for the unknown 
parameter k in (2) up to an additive error of x. 

Next, we also want to find an approximation for the second unknown param- 
eter 4>{N) in (2). Note that 

N-(j){N) =p + q-l< 37Vi 

That is, 4>{N) lies in the interval [N — , N]. We can easily guess an estimate 

of (j>{N) with additive error at most jN 2 by doing a brute-force search on the 
most significant bits of (j>{N). 

More precisely, we divide the interval [N — SN^^N] into 6 sub-interval of 
length 2 with centers N — 2 ,^= 1^2,. ..,6. For the correct choice of 

i we have 

TV _ _ ^(7V) <Iny 

Let g denote the term 2^^TV5 for the right choice of i. That is, we know 4>{N) = 
N — g — y for some unknown y with \y\ < jN ^ . 

Plugging our approximations for k and 4>{N) in (2) leads to 



ed — 1 — (fc -I- x){N — g — y) = 0. 
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Let us round k and g to the next integers. Here we omit the rounding brackets 
[fc] , [ 5 ] for ease of simplicity. Notice that the effect of this rounding on the 
bounds of the estimation errors x and y can be neglected (x becomes even 
smaller). Thus, we assume in the following that k, g are integers. Therefore, we 
can define the following bivariate integer polynomial 

f{x, y) =xy- {N - g)x + ky- k{N - g) + ed-l 

with a root {xo,yo) = {k — k,p + q — 1 — g) over the integers. 

In order to apply Coppersmith’s theorem (Theorem 2), we have to bound 
the size of the root (xo,yo)- We define X = 6 JV 2 and V = Then, |a;o| < 

and I 2 / 0 I < y- 

Let W denote the f 00 -norm of the coefficient vector of f{xX,yY). We have 

W > {N- g)X > mx 

By Coppersmith’s theorem, we have to satisfy the condition XY < W^. Using 
our bounds, we obtain 

XY=^N < " < lUi 

Thus, we can find the root {xo, yo) in time polynomial in the bit-size of W using 
Coppersmith’s method. Note that the running time is also polynomial in the 
bit-size of N since W < NX = 6 N^ . Finally, the term yo=p + q— 1 — g yields 
the factorization of N. This concludes the proof of the theorem. H 

We want to point out that Theorem 3 can be easily generalized to the case, 
where p + q < poly(log N) ■ N 2 , I.e., we do not necessarily need that p and q are 
of the same bit-size. All that we have to require is that they are balanced up to 
some poly logarithmic factor in N. 

The following theorem is a direct consequence of Theorem 3. It establishes 
the polynomial time equivalence of computing d and factoring N in the common 
RSA case, where e,d G 

Theorem 4 Let N = pq be an RSA-modulus, where p and q are of the same 
bit-size. Furthermore, let e G RSA public exponent. 

Suppose we have an algorithm that on input {N, e) outputs in deterministic 
polynomial time the RSA secret exponent d G satisfying ed = 1 mod 

Then N can be factored in deterministic polynomial time. 

4 Experiments 

We want to provide some experimental results. We implemented the algorithm 
introduced in the previous section on an IGHz Linux-PC. Our implementation 
of Coppersmith’s method follows the description given by Coron [4]. L^-lattice 
reduction [7] is done using Shoup’s NTL library [10]. 
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We choose e < 4>{N) randomly. Therefore, in every experiment the product 
ed is very close to the bound N'^. Notice that in Theorem 3, we have to do a 
small brute-force search on the most significant bits of 4>{N) in order to prove 
the desired bound. The polynomial time algorithm of Coppersmith given by 
Theorem 2 requires a similar brute-force search on the most significant bits. 

In Table 1, we added a column that states the total number c of bits that one 
has to guess in order to find a sufficiently small lattice vector. Thus, we have to 
multiply the running time of the lattice reduction algorithm by a factor of 2°. 
As the results indicate, the number c heavily depends on the lattice dimension. 
Coppersmith’s technique yields a polynomial time algorithm when the lattice 
dimension is of size 0(log W). However, we only tested our algorithm for lattices 
of small fixed dimensions 16, 25 and 36. 



Table 1. Results for ed ~ N'^ 



N 


c 


dim 


I/®-time 


512 bit 


55 bit 


16 


0.5 min 


512 bit 


43 bit 


25 


6 min 


512 bit 


36 bit 


36 


53 min 


768 bit 


80 bit 


16 


1 min 


768 bit 


63 bit 


25 


13 min 


768 bit 


53 bit 


36 


128 min 


1024 bit 


105 bit 


16 


2.5 min 


1024 bit 


82 bit 


25 


26 min 


1024 bit 


67 bit 


36 


242 min 



Our experiments compare well to the experimental results of Coron [3] : One 
cannot come close to the bounds of Coppersmith’s theorem without reducing 
lattices of large dimension. Notice that we have to guess a large number of bits. 
In contrast, by the proof of Coppersmith’s theorem (see [4]) the number of bits 
that one has to guess for lattice dimension 0(log W) is a small constant. However, 
it is a non-trivial task to handle lattices of these dimensions in practice. 





Computing the RSA Secret Key 219 



One might conclude that our method is of purely theoretical interest. But let 
us point out that we have a worst case for our approach when the product ed is 
very close to the bound 7V^. In Table 2, we provide some more practical results 
for the case ed « 



Table 2. Results for ed ~ 



N 


c 


dim 


L®-time 


512 bit 


10 bit 


25 


6 min 


768 bit 


13 bit 


25 


13 min 


1024 bit 


18 bit 


25 


26 min 
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Abstract. We introduce the notion of multi-trapdoor commitments 
which is a stronger form of trapdoor commitment schemes. We then 
construct two very efficient instantiations of multi-trapdoor commitment 
schemes, one based on the Strong RSA Assumption and the other on the 
Strong Diffie-Hellman Assumption. 

The main application of our new notion is the construction of a compiler 
that takes any proof of knowledge and transforms it into one which is 
secure against a concurrent man-in-the-middle attack (in the common 
reference string model). When using our specific implementations, this 
compiler is very efficient (requires no more than four exponentiations) 
and maintains the round complexity of the original proof of knowledge. 
The main practical applications of our results are concurrently secure 
identification protocols. For these applications our results are the first 
simple and efficient solutions based on the Strong RSA or Diffie-Hellman 
Assumption. 



1 Introduction 

A proof of knowledge allows a Prover to convince a Verifier that he knows some 
secret information w (for example a witness for an TVP-statement y). Since w 
must remain secret, one must ensure that the proof does not reveal any informa- 
tion about w to the Verifier (who may not necessarily act honestly and follow the 
protocol). Proofs of knowledge have several applications, chief among them iden- 
tification protocols where a party, who is associated with a public key, identifies 
himself by proving knowledge of the matching secret key. 

However when proofs of knowledge are performed on an open network, like 
the Internet, one has to worry about an active attacker manipulating the con- 
versation between honest parties. In such a network, also, we cannot expect to 
control the timing of message delivery, thus we should assume that the adversary 
has control on when messages are delivered to honest parties. 

* Extended Abstract. The full version of the paper is available at 
http: //eprint . iacr . org/2003/214/ 
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The adversary could play the “man-in-the-middle” role, between honest 
provers and verifiers. In such an attack the adversary will act as a prover with 
an honest verifier, trying to make her accept a proof, even if the adversary does 
not know the corresponding secret information. During this attack, the adver- 
sary will have access to honest provers proving other statements. In the most 
powerful attack, the adversary will start several such sessions at the same time, 
and interleave the messages in any arbitrary way. 

Informally, we say that a proof of knowledge is concurrently non-malleable, 
if such an adversary will never be able to convince a verifier when she does not 
know the relevant secret information (unless, of course, the adversary simply 
relays messages unchanged from an honest prover to an honest verifier). 

Our Main Contribution. We present a general transformation that takes any 
proof of knowledge and makes it concurrently non-malleable. The transformation 
preserves the round complexity of the original scheme and it requires a common 
reference string shared by all parties. 

The crucial technical tool to construct such compiler is the notion of multi- 
trapdoor commitments (MTC) which we introduce in this paper. After defining 
the notion we show specific number-theoretic constructions based on the Strong 
RSA Assumption and the recently introduced Strong Difhe-Hellman Assump- 
tion. These constructions are very efficient, and when applied to the concurrent 
compiler described above, this is the whole overhead. 

Multi-trapdoor Commitments. Recall that a commitment scheme consist 
of two phases, the first one in which a sender commits to a message (think of it 
as putting it inside a sealed envelope on the table) and a second one in which 
the sender reveals the committed message (opens the envelope). 

A trapdoor commitment scheme allows a sender to commit to a message with 
information-theoretic privacy. I.e., given the transcript of the commitment phase 
the receiver, even with infinite computing power, cannot guess the committed 
message better than at random. On the other hand when it comes to open- 
ing the message, the sender is only computationally bound to the committed 
message. Indeed the scheme admits a trapdoor whose knowledge allows to open 
a commitment in any possible way. This trapdoor should be hard to compute 
efficiently. 

A multi-trapdoor commitment scheme consists of a family of trapdoor com- 
mitments. Each scheme in the family is information-theoretically private. The 
family admits a master trapdoor whose knowledge allows to open any commit- 
ment in the family in any way it is desired. Moreover each commitment scheme 
in the family admits its own specific trapdoor. The crucial property in the def- 
inition of multi-trapdoor commitments is that when given the trapdoor of one 
scheme in the family it is infeasible to compute the trapdoor of another scheme 
(unless the master trapdoor is known). 

Concurrent Composition in Detail. When considering a man-in-the-middle 
attacker for proofs of knowledge we must be careful to define exactly what kind 
of concurrent composition we allow. 
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Above we described the case in which the attacker acts as a verifier in sev- 
eral concurrent executions of the proof, with several provers. We call this left- 
concurrency (as usually the provers are positioned on the left of the picture). On 
the other hand right- concurrency means that the adversary could start several 
concurrent executions as a prover with several verifiers. 

Under these attacks, we need to prove that the protocols are zero-knowledge 
(i.e. simulatable) and also proofs of knowledge (i.e. one can extract the wit- 
ness from the adversary). When it comes to extraction one also has to make 
the distinction between on-line and post-protocol extraction [27]. In an on-line 
extraction, the witness is extracted as soon as the prover successfully convinces 
the verifier. In a post-protocol extraction procedure, the extractor waits for the 
end of all the concurrent executions to extract the witnesses of the successful 
executions. 

In the common reference string it is well known how to fully (i.e. both left and 
right) simulate proofs of knowledge efficiently, using the result of Damgard [16]. 
We use his techniques, so our protocols are fully concurrently zero-knowledge. 
Extraction is more complicated. Lindell in [30] shows how to do post-protocol 
extraction for the case of right concurrency. We can use his techniques as well. 
But for many applications what really matters is on-line extraction. We are able 
to do that only under left-concurrency^. This is however enough to build fully 
concurrently secure applications like identification protocols. 

Prior Work. Zero-knowledge protocols were introduced in [24]. The notion of 
proof of knowledge (already implicit in [24]) was formalized in [21,6]. 

Concurrent zero-knowledge was introduced in [20] . They point out that the 
typical simulation paradigm to prove that a protocol is zero-knowledge fails to 
work in a concurrent model. This work sparked a long series of papers culmi- 
nating in the discovery of non-constant upper and lower bounds on the round 
complexity of concurrent zero-knowledge in the black-box model [13, 34], unless 
extra assumptions are used such as a common reference string. Moreover, in a 
breakthrough result, Barak [2] shows a constant round non-black-box concurrent 
zero- knowledge protocol, which however is very inefficient in practice. 

If one is willing to augment the computational model with a common refer- 
ence string, Damgard [16] shows how to construct very efficient 3-round protocols 
which are concurrent (black-box) zero-knowledge. 

However all these works focus only on the issue of zero-knowledge, where one 
has to prove that a verifier who may engage with several provers in a concurrent 
fashion, does not learn any information. Our work focuses more on the issue 
of malleahility in proofs of knowledge, i.e. security against a man-in-the-middle 
who may start concurrent sessions. 

The problem of malleability in cryptographic algorithms, and specifically 
in zero-knowledge proofs, was formalized by Dolev et al. in [19], where a non- 
malleable ZK proof with a polylogarithmic number of rounds is presented. This 
protocol, however, is only sequentially non-malleable, i.e. the adversary can only 

^ However, as we explain later in the Introduction, we could achieve also right- 
concurrency if we use so-called 17-protocols 
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start sessions sequentially (and non concurrently) with the prover. Barak in [3] 
shows a constant round non-malleable ZK proof in the non-black-box model (and 
thus very inefficient). 

Using the taxonomy introduced by Lindell [29], we can think of concurrent 
composition as the most general form of composition of a protocol with itself 
(i.e. in a world where only this protocol is run). On the other hand it would 
be desirable to have protocols that arbitrarily compose, not only with them- 
selves, but with any other “secure” protocol in the environment they run in. 
This is the notion of universal composable security as defined by Canetti [11]. 
Universally composable zero-knowledge protocols are in particular concurrently 
non-malleable. In the common reference string model (which is necessary as 
proven in [11]), a UCZK protocols for Hamiltonian Cycle was presented in [12]. 
Thus UCZK protocols for any NP problem can be constructed, but they are 
usually inefficient in practice since they require a reduction to the Hamiltonian 
Cycle problem. 

As it turns out, the common reference string model is necessary also to 
achieve concurrent non-malleability (see [30]). In this model, the first theoretical 
solution to our problem was presented in [17]. Following on the ideas presented 
in [17] more efficient solutions were presented in [27,22,31]. 

Our compiler uses ideas from both the works of Damgard [16] and Katz [27], 
with the only difference that it uses multi-trapdoor instead of regular trapdoor 
commitments in order to achieve concurrent non-malleability. 

Simulation-Sound Trapdoor Commitments. The notion of Simulation- 
Sound Trapdoor Commitments (SSTC), introduced in [22] and later refined and 
improved in [31], is very related to our notion of MTC. The notion was introduced 
for analogue purposes: to compile (in a way similar to ours) any U-protocol into 
one which is left-concurrently non-malleable. They show generic constructions 
of SSTC and specific direct constructions based on the Strong RSA Assumption 
and the security of the DSA signature algorithm. 

The concept of SSTC is related to ours, though we define a weaker notion 
of commitment (we elaborate on the difference in Section 3). The important 
contribution of our paper with respect to [22,31] is twofold: (i) we show that 
this weaker notion is sufficient to construct concurrently non-malleable proofs; 
(ii) because our notion is weaker, we are able to construct more efficient number 
theoretic instantiations. Indeed our Strong RSA construction is about a factor of 
2 faster than the one presented in [31]. This efficiency improvement is inherited 
by the concurrently non-malleable proof of knowledge, since in both cases the 
computation of the commitment is the whole overhead^. 

^ In [22, 31] 17-protocols are introduced, which dispense of the need for rewinding when 
extracting and thus can be proven to be left and right-concurrently non-malleable 
(and with some extra modification even universally composable). It should be noted 
that if we apply our transformation to the so-called 17-protocols introduced by [22], 
then we obtain on-line extraction under both left and right concurrency. However we 
know how to construct efficient direct constructions of 17-protocols only for knowl- 
edge of discrete logarithms, and even that is not particularly efficient. Since for the 
applications we had in mind left-concurrency was sufficient, we did not follow this 
path in this paper. 
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Remark. Because of space limitations, all the proofs of the Theorems, and 
various technical details are omitted and can be found in the full version of the 
paper. 



2 Preliminaries 

In the following we say that function f(n) is negligible if for every polynomial 
Q{-) there exists an index ng such that for all n > ng, f{n) < 1/Q{n). 

Also if A(-) is a randomized algorithm, with a <— A(-) we denote the event 
that A outputs the string a. With Prob[Ai; . . . ; Ak ■ B] we denote the probability 
of event B happening after Ai, . . . , A^- 



2.1 One-Time Signatures 

Our construction requires a strong one-time signature scheme which is secure 
against chosen message attack. Informally this means that the adversary is given 
the public key and signatures on any messages of her choice (adaptively chosen 
after seeing the public key) . Then it is infeasible for the adversary to compute a 
signature of a new message, or a different signature on a message already asked. 
The following definition is adapted from [25]. 

Definition 1. (SG, Sig, Ver) is a strong one-time secure signature if for every 
probabilistic polynomial time forger T , the following 



Prob 



(sk,vk) ^ SG(1") ; M ^ J^(vk) ; 
sig ^ Sig(M,sk) ; J^(M,sig,vk) = (M',sig') : 
Ver(M',sig',vk) = 1 and 
(M yf M' or sig yf sig') 



is negligible in n. 



One-time signatures can be constructed more efficiently than general signatures 
since they do not require public key operations (see [7,8,28]). Virtually all the 
efficient one-time signature schemes are strong. 



2.2 The Strong RSA Assumption 

Let N be the product of two primes, N = pq. With (j>{N) we denote the Euler 
function of N, i.e. (p{N) = {p— l){q— !)• With we denote the set of integers 
between 0 and N — 1 and relatively prime to N. 

Let e be an integer relatively prime to 4>{N). The RSA Assumption [35] 
states that it is infeasible to compute e-roots in Z^. I.e. given a random element 
s &R Z^j it is hard to find x such that x® = s mod N. 

The Strong RSA Assumption (introduced in [4]) states that given a random 
element s in Zf^ it is hard to find x,e ^ 1 such that a;® = s mod A. The 
assumption differs from the traditional RSA assumption in that we allow the 
adversary to freely choose the exponent e for which she will be able to compute 
e-roots. 

We now give formal definitions. Let RSA{n) be the set of integers N, such 
that N is the product of two n/2-bit primes. 
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Assumption 1 We say that the Strong RSA Assumption holds, if for all prob- 
abilistic polynomial time adversaries A the following probability 

Prob[ N ^ RSA{n) ; s <— Z’ff : A{N, s) = {x, e) s.t. x® = s mod N ] 

is negligible in n. 

A more efficient variant of our protocol requires that N is selected as the product 
of two safe primes, i.e. N = pq where p = 2p' -|- 1, g = 2g' -|- 1 and both p', q' 
are primes. We denote with SRSA{n) the set of integers N, such that N is the 
product of two n/2-bit safe primes. In this case the assumptions above must be 
restated replacing RSA{n) with SRSA{n). 

2.3 The Strong DifRe-Hellman Assumption 

We now briefly recall the Strong Diffie-Hellman (SDH) Assumption, recently 
introduced by Boneh and Boyen in [9] . 

Let G be cyclic group of prime order q, generated by g. The SDH Assumption 
can be thought as an equivalent of the Strong RSA Assumption over cyclic 
groups. It basically says that no attacker on input G, g, g^, g^ ,g^ , . . ., for some 
random x G Zg, should be able to come up with a pair (e, h) such that = g. 

Assumption 2 We say that the i-SDH Assumption holds over a cyclic group 
G of prime order q generated by g, if for all probabilistic polynomial time adver- 
saries A the following probability 

Prob[x ^ Zq : A{g,g'^,g'' . ,g'° ) = {e G Zq,h G G) s.t. /i“+® = g ] 

is negligible in n= \q\. 

Notice that, depending on the group G, there may not be an efficient way to 
determine if A succeeded in outputting (e, h) as above. Indeed in order to check 
if = g when all we have is g^ , we need to solve the Decisional Diffie- 
Hellman (DDH) problem on the triple {g^g^ ,h,g). Thus, although Assumption 
2 is well defined on any cyclic group G, we are going to use it on the so-called 
gap-DDH groups, i.e. groups in which there is an efficient test to determine (with 
probability 1) on input (g“, g^ , g®) if c = a6 mod q or not. The gap-DDH property 
will also be required by our construction of multi-trapdoor commitments that 
uses the SDH Assumption^. 

2.4 Definition of Concurrent Proofs of Knowledge 

Polynomial Time Relationships. Let 7^ be a polynomial time computable 
relationship, i.e. a language of pairs {y, w) such that it can be decided in polyno- 
mial time in \y\ if (y,w) G TZ or not. With C-jz we denote the language induced 
by TZ i.e. Cn = {v ■ : (y,w) G TZ}. 

® Gap-DDH groups where Assumption 2 is believed to hold can be constructed using 
bilinear maps introduced in the cryptographic literature by [10]. 
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More formally an ensemble of polynomial time relationships VTTZ consists 
of a collection of families VTTZ = UTPTTZn where each VTTZn is a family of 
polynomial time relationships TZn ■ To an ensemble VT TZ we associate a random- 
ized instance generator algorithm IG that on input 1" outputs the description of 
a relationship TZn- In the following we will drop the suffix n when obvious from 
the context. 

Proofs of Knowledge. In a proof of knowledge for a relationship TZ, two 
parties, Prover P and Verifier V, interact on a common input y. P also holds a 
secret input w, such that {y, w) G TZ. The goal of the protocol is to convince V 
that P indeed knows such w. Ideally this proof should not reveal any information 
about w to the verifier, i.e. be zero- knowledge. 

The protocol should thus satisfy certain constraints. In particular it must be 
complete: if the Prover knows w then the Verifier should accept. It should be 
sound: for any (possibly dishonest) prover who does not know w, the verifier 
should almost always reject. Finally it should be zero-knowledge: no (poly-time) 
verifier (no matter what possibly dishonest strategy she follows during the proof) 
can learn any information about w. 

V-PROTOCOLS. Many proofs of knowledge belong to a class of protocols called 
V-protocols. These are 3-move protocols for a polynomial time relationship TZ in 
which the prover sends the first message a, the verifier answers with a random 
challenge c, and the prover answers with a third message z. Then the verifier 
applies a local decision test on y, a, c, z to accept or not. 

V-protocols satisfy two special constraints: 

Special soundness. A cheating prover can only answer one possible challenge 
c. In other words we can compute the witness w from two accepting conver- 
sations of the form (a, c, z) and (a, c', z'). 

Special zero-knowledge. Given the statement y and a challenge c, we can 
produce (in polynomial time) an accepting conversation (a, c, z), with the 
same distribution of real accepting conversations, without knowing the wit- 
ness w. Special zero-knowledge implies zero-knowledge with respect to the 
honest verifier. 

All the most important proofs of knowledge used in cryptographic applications 
are A-protocols (e.g. [36,26]). 

We will denote with a ^ Si[y,w] the process of selecting the first message a 
according to the protocol E. Similarly we denote c ^ A 2 and z <— E^ly, w, a, c]. 

Man-in-the-Middle Attacks. Consider now an adversary A that engages 
with a verifier V in a proof of knowledge. At the same time A acts as the verifier 
in another proof with a prover P. Even if the protocol is a proof of knowledge 
according to the definition in [6], it is still possible for A to make the verifier 
accept even without knowing the relevant secret information, by using P as an 
oracle. Of course A could always copy the messages from P to V, but it is not 
hard to show (see for example [27]) that she can actually prove even a different 
statement to V. 
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In a concurrent attack, the adversary A is activating several sessions with 
several provers, in any arbitrary interleaving. We call such an adversary a con- 
current man-in-the-middle. We say that a proof of knowledge is concurrently 
non-malleable if such an adversary fails to convince the verifier in a proof in 
which he does not know the secret information. In other words a proof of knowl- 
edge is concurrently non-malleable, if for any such adversary that makes the 
verifier accept with non-negligible probability we can extract a witness. 

Since we work in the common reference string model we define a proof sys- 
tem as tuple (crsG,P,V), where crsG is a randomized algorithm that on input 
the security parameter 1” outputs the common reference string crs. In our def- 
inition we limit the prover to be a probabilistic polynomial time machine, thus 
technically our protocols are arguments and not proofs. But for the rest of the 
paper we will refer to them as proofs. 

If ^ is a concurrent man-in-the-middle adversary, let 7r_4(n) be the probability 
that the verifier V accepts. That is 

TTA = Prob[TZn ^ IG(1”) ; crs ^ crsG(l") ; [A^^^^^’"'’^^'^*‘\\/]{crs,y) = 1] 

where the statements y,yi, . . . ,yk are adaptively chosen by A. Also we denote 
with View[A, P,V]crs the view of A at the end of the interaction with P and V 
on common reference string crs. 

Definition 2. We say that (crsG,P,V) is a concurrently non-malleable proof of 
knowledge for a relationship {VTTZ, IG) if the following properties are satisfied: 

Completeness. Forall{y,w) G TZn (for allTZn) we have that [P(?/, w), V(y)]=l. 
Witness Extraction. There exist a probabilistic polynomial time knowledge 
extractor KE, a function k : {0, 1}* ^ [0, 1] and a negligible function e, 
such that for all probabilistic polynomial time concurrent man-in-the-middle 
adversary A, */7r_4(n) > K(n) then KE, given rewind access to A, computes 
w such that (y,w) G with probability at least TT_^{n) — K,{n) — e(n). 
Zero-Knowledge. There exist a probabilistic polynomial time simulator SIM = 
(SIMi,SIMp,SIMv), such that the two random variables 

Real{n) = [ crs ^ crsG(l") , View[A, P, V]crs ] 

Sim{n) = [ crs ^ SIMi(l") , View[A, SIMp, SIMv]crs ] 

are indistinguishable. 

Notice that in the definition of zero-knowledge the simulator does not have the 
power to rewind the adversary. This will guarantee that the zero-knowledge 
property will hold in a concurrent scenario. Notice also that the definition of 
witness extraction assumes only left-concurrency (i.e. the adversary has access 
to many provers but only to one verifier). 

3 Multi-trapdoor Commitment Schemes 

A trapdoor commitment scheme allows a sender to commit to a message with 
information-theoretic privacy. I.e., given the transcript of the commitment phase 
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the receiver, even with infinite computing power, cannot guess the committed 
message better than at random. On the other hand when it comes to opening 
the message, the sender is only computationally bound to the committed mes- 
sage. Indeed the scheme admits a trapdoor whose knowledge allows to open a 
commitment in any possible way (we will refer to this also as equivocate the 
commitment). This trapdoor should be hard to compute efficiently. 

A multi-trapdoor commitment scheme consists of a family of trapdoor com- 
mitments. Each scheme in the family is information-theoretically private. We 
require the following properties from a multi-trapdoor commitment scheme: 

1. The family admits a master trapdoor whose knowledge allows to open any 
commitment in the family in any way it is desired. 

2. Each commitment scheme in the family admits its own specific trapdoor, 
which allows to equivocate that specific scheme. 

3. For any commitment scheme in the family, it is infeasible to open it in 
two different ways, unless the trapdoor is known. However we do allow the 
adversary to equivocate on a few schemes in the family, by giving it access 
to an oracle that opens a given committed value in any desired way. The 
adversary must selects this schemes, before seeing the definition of the whole 
family. It should remain infeasible for the adversary to equivocate any other 
scheme in the family. 

The main difference between our definition and the notion of SSTC [22, 31] 
is that SSTC allow the adversary to choose the schemes in which it wants to 
equivocate even after seeing the definition of the family. Clearly SSTC are a 
stronger requirement, which is probably why we are able to obtain more efficient 
constructions. 

We now give a formal definition. A (non-interactive) multi-trapdoor com- 
mitment scheme consists of five algorithms: CKG, Sel, Tkg, Com, Open with the 
following properties. 

CKG is the master key generation algorithm, on input the security parameter 
it outputs a pair PK, TK where PK is the master public key associated with the 
family of commitment schemes, and TK is called the master trapdoor. 

The algorithm Sel selects a commitment in the family. On input PK it outputs 
a specific public key pk that identifies one of the schemes. 

Tkg is the specific trapdoor generation algorithm. On input PK,TK,pk it 
outputs the specific trapdoor information tk relative to pk. 

Com is the commitment algorithm. On input PK,pk and a message M it 
outputs C{M) — Com(PK, pk, M, i?) where R are the coin tosses. To open a 
commitment the sender reveals M, R and the receiver recomputes C. 

Open is the algorithm that opens a commitment in any possible way given 
the trapdoor information. It takes as input the keys PK,pk, a commitment C{M) 
and its opening M, R, a message M' ^ M and a string T. If T = TK or T = tk 
then Open outputs R' such that C{M) = Com(PK, pk, M', i?'). 

We require the following properties. Assume PK and all the pk’s are chosen 
according to the distributions induced by CKG and Tkg. 
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Information Theoretic Security. For every message pair M, M' the distri- 
butions C{M) and C{M') are statistically close. 

Secure Binding. Consider the following game. The adversary A selects k 
strings (pkj^, . . . , pkj,). It is then given a public key PK for a multi-trapdoor 
commitment family, generated with the same distribution as the ones gen- 
erated by CKG. Also, A is given access to an oracle £Q (for Equivocator), 
which is queried on the following string C = Com(PK, pk, M, i?), M, i?, pk 
and a message M' yf M . If pk = pkj for some i, and is a valid public key, 
then £Q answers with R' such that C = Com(PK, pk, M', i?') otherwise it 
outputs nil. We say that A wins if it outputs C, M, R, M' , R' , pk such that 
C = Com(PK, pk, M, i?) = Com(PK, pk, M', i?'), M yf M' and pk yf pkj for 
all i. We require that for all efficient algorithms A, the probability that A 
wins is negligible in the security parameter. 

We can define a stronger version of the Secure Binding property by requiring 
that the adversary A receives the trapdoors tk^’s matching the public keys pk/s, 
instead of access to the equivocator oracle £Q. In this case we say that the 
multi-trapdoor commitment family is strong^. 

3.1 A Scheme Based on the Strong RSA Assumption 

The starting point for the our construction of multi-trapdoor commitments based 
on the Strong RSA Assumption, is a commitment scheme based on the (regular) 
RSA Assumption, which has been widely used in the literature before (e.g. [14, 

15]). 

The master public key is a number N product of two large primes p,q, and s 
a random element of Z’^. The master trapdoor is the factorization of N, i.e. the 
integers p,q. The public key of a scheme in the family is an f-bit prime number 
e such that GCD{e, = 1- The specific trapdoor of the scheme with public 

key e is the e-root of s, i.e. a value ae such that (Jg = s mod N . 

To commit to a G [1..2^“^] the sender chooses r and computes A = 

s“ • r® mod JV. To decommit the sender reveals a, r and the previous equation is 
verified by the receiver. 

Proposition 1. Under the Strong RSA Assumption the scheme described above 
is a multi-trapdoor commitment scheme. 

Sketch of Proof: Each scheme in the family is unconditionally secret. Given a 
value A = s“ • r® we note that for each value a' yf a there exists a unique value 
r' such that A = s“ (r')®. Indeed this value is the e-root of A • . Observe, 

moreover that r' can be computed efficiently as (7“““ , thus knowledge of (Te 
allows to open a commitment (for which we know an opening) in any desired 
way. 

^ This was actually our original definition of multi-trapdoor commitments. Phil 
MacKenzie suggested the possibility of using the weaker approach of giving access to 
an equivocator oracle (as done in [31]) and we decided to modify our main definition 
to the weaker one, since it suffices for our application. However the strong definition 
may also have applications, so we decided to present it as well. 
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We now argue the Secure Binding property under the Strong RSA As- 
sumption. Assume we are given a Strong RSA problem istance N, a. Let’s now 
run the Secure Binding game. The adversary is going to select k public keys 
which in this case are k primes, ei, . . . , Cfc. We set s = where E = 
and return N, s as the public key of the multi-trapdoor commitment family. This 
will easily allow us to simulate the oracle SQ, as we know the Cj-roots of s, i.e. 
the trapdoors of the schemes identified by e^. 

Assume now that the adversary equivocates a commitment scheme in the 
family identified by a prime e yf e^. The adversary returns a commitment A and 
two distinct openings of it (a,r) and (a',r'). Thus 

A = ^ (1) 

Let 5 = a — a' . Since a,a'<e and e and the eds are all distinct primes we have 
that GCD{6E,e) = 1. We can find integers a, [3 such that aSE + (3e = 1. Now 
we can compute (using Shamir’s GCD trick [37] and Eq.(l)) 

cr = ^ . ^/3e ^ . ^/3e ^ 

By taking e-roots on both sides we find that (Je = s^. □ 

Remark: The commitment scheme can be easily extended to any message do- 
main A4, by using a collision-resistant hash function El from Ai to [1..2^“^j. In 
this case the commitment is computed as In our application we will use 

a collision resistant function like SHA-1 that maps inputs to 160-bit integers and 
then choose e’s larger than 

3.2 A Scheme Based on the SDH Assumption 

Let G be a cyclic group of prime order q generated by g. We assume that G 
is a gap-DDH group, i.e. a group such that deciding Difiie-Hellman triplets is 
easy. More formally we assume the existence of an efficient algorithm DDH-Test 
which on input a triplet (g“, 5'^) of elements in G outputs 1 if and only if, 

c = ab mod q. We also assume that the Assumption 2 holds in G. 

The master key generation algorithm selects a random x G Zg which will be 
the master trapdoor. The master public key will be the pair g, h where h = g^ 
in G. Each commitment in the family will be identified by a specific public key 
pk which is simply an element e G Zg. The specific trapdoor tk of this scheme is 
the value fe in G, such that = g. 

To commit to a message a G Zg with public key pk = e, the sender chooses at 
random (f> G Zg and computes he = (h-g^)^. It then runs Pedersen’s commitment 
[33] with bases g, he, i.e., it selects a random r G Zg and computes A = g^'h^. 
The commitment to a is the value A. 

To open a commitment the sender reveals a and E = g^'"^ . The receiver 
accepts the opening if DDH-Test(F, h ■ g^,A ■ g~°-) = 1. 
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Proposition 2. Under the SDH Assumption the scheme described above is a 
multi-trapdoor commitment scheme. 



Sketch of Proof: Each scheme in the family is easily seen to be unconditionally 
secret. The proof of the Secure Binding property follows from the proof of 
Lemma 1 in [9], where it is proven that the trapdoors fe can be considered 
“weak signatures” . In other words the adversary can obtain several /e^ , . . . , fe^ 
for values ei, . . . , chosen before seeing the public key g, h, and still will not be 
able (under the {£ 1)-SDH) to compute fe for a new e yf e^. 

The proof is then completed if we can show that opening a commitment in 
two different ways for a specific e is equivalent to finding fe- 

Assume we can open a committment A = in two ways a, F = and 
a',F' = g/^' with a yf a'. The DDH-Test tells us that a — a = (3{x e) and 
a — a' = (3'{x e), thus a — a' = {(}' — (3){x e) or 



9 



{a— a') 




fe 




{a— a') ^ 



By the same reasoning, if we know fe and we have an opening F, a and we want 
to open it as a' we need to set F' = F ■ /“““ . □ 



4 The Protocol 

In this section we describe our full solution for non-malleable proofs of knowledge 
secure under concurrent composition using multi-trapdoor commitments. 

Informal Description. We start from a A-protocol as described in Section 
2. That is the prover P wants to prove to a verifier V that he knows a witness w 
for some statement y. The prover sends a first message a. The verifier challenges 
the prover with a random value c and the prover answers with his response z. 

We modify this A-protocol in the following way. We assume that the parties 
share a common reference string that contains the master public key PK for a 
multi-trapdoor commitment scheme. The common reference string also contains 
a collision-resistant hash function H from the set of verification keys vk of the 
one-time signature scheme, to the set of public keys pk in the multi-trapdoor 
commitment scheme determined by the master public key PK. 

The prover chooses a key pair (sk, vk) for a one-time strong signature scheme. 
The prover computes pk= iL(vk) and A = Com(PK, pk,a,r) where a is the first 
message of the A-protocol and r is chosen at random (as prescribed by the 
definition of Com). The prover sends vk, A to the verifier. The crucial trick is that 
we use the verification key vk to determine the value pk used in the commitment 
scheme. 

The verifier sends the challenge c. The prover sends back a, r as an opening 
of A and the answer z of the A-protocol. It also sends sig a signature over the 
whole transcript, computed using sk. The verifier checks that a, r is a correct 
opening of A, that sig is a valid signature over the transcript using vk and also 
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CNM-POK 

Common Reference String: PK the master public key for a multi-trapdoor 
commitment scheme. A collision resistant hash function H which maps inputs 
to public keys for the multi-trapdoor commitment scheme determined by PK. 

Common Input: A string y. 

Private Input for the Prover: a witness w for the statement y, i.e. {y, w) € 
7 ^. 

— The Prover computes (sk, vk) ^ SG(1’*); pk = H(vk); a <— E\[y,w\\ r 
A — Com(PK, pk,a, r) 

The Prover sends A and vk to the Verifier. 

p A, vk w 



— The Verifier selects a random challenge c ^ E 2 and sends it to the Prover. 

P , c V 

— The Prover computes 2 : <— Ei\y,w,a,c\ and sig = Sigj|,(y, A, c, a, r, 2 ). He 
sends a, r, z, sig to the Verifier. 

p g,r, 2 ,sig ^ y 

— The Verifier accepts iff A = Com(PK, pk,a, r); Vervk(j/, A, c, a, r, 2 ) = 1 and 
Acc(j/, a, c, 2 ) = 1. 



Fig. 1. A Concurrently Non-malleable Proof of Knowledge 



that (a, c, 2 ) is an accepting conversation for the 17-protocol. The protocol is 
described in Figure 1. 

Theorem 1. If multi-trapdoor commitments exist, if H is a collision-resistant 
hash function, and if (SG,Sig,Ver) is a strong one-time signature scheme, then 
CNM-POK is a concurrently non-malleahle proof of knowledge (see Definition 2). 

4.1 The Strong RSA Version 

In this section we are going to add a few comments on the specific implementa- 
tions of our protocol, when using the number-theoretic constructions described 
in Sections 3.1 and 3.2. The main technical question is how to implement the 
collision resistant hash function H which maps inputs to public keys for the 
multi-trapdoor commitment scheme. 

The SDH implementation is basically ready to use “as is” . Indeed the public 
keys pk of the multi-trapdoor commitment scheme are simply elements of Zq, 
thus all is needed is a collision-resistant hash function with output in Zq. 

On the other hand, for the Strong RSA based multi-trapdoor commitment, 
the public keys are prime numbers of the appropriate length. A prime-outputting 






Multi-trapdoor Commitments 233 



collision-resistant hash function is described in [23]. However we can do better 
than that, by modifying slightly the whole protocol. We describe the modifica- 
tions (inspired by [32, 15]) in this section. 

Modifying the One-Time Signatures. First of all, we require the one-time 
signature scheme (SG,Sig,Ver) to have an extra property: i.e. that the distribution 
induced by SG over the verification keys vk is the uniform one®. Virtually all the 
known efficient one-time signature schemes have this property. 

Then we assume that the collision resistant hash function used in the pro- 
tocol is drawn from a family which is both a collision-resistant collection and a 
collection of families of universal hash functions®. 

Assume that we have a randomly chosen hash function H from such a collec- 
tion mapping n-bit strings (the verification keys) into /c-bit strings and a prime 
P > 2'=/^. 

We modify the key generation of our signature scheme as follows. We run 
SG repeatedly until we get a verification key vk such that e = 2P ■ H{yk) -|- 1 
is a prime. Notice that t' = |e| > |/c. Let us denote with SG' this modified key 
generation algorithm. 

We note the following facts: 

~ H (vk) follows a distribution over A:-bit strings which is statistically close to 
uniform; thus using results on the density of primes in arithmetic progres- 
sions (see [1], the results hold under the Generalized Riemann Hypothesis) 
we know that this process will stop in polynomial time, i.e. after an expected 
i iterations. 

— Since e is of the form 2PR+ 1, and P > primality testing of all the e 
candidates can be done deterministically and very efficiently (see Lemma 2 
in [32]). 

Thus this is quite an efficient way to associate primes to the verification keys. 

Notice that we are not compromising the security of the modified signature 
scheme. Indeed the keys of the modified scheme are a polynomially large fraction 
of the original universe of keys. Thus if a forger could forge signature on this 
modified scheme, then the original scheme is not secure as well. 

On the Length of the Primes. In our application we need the prime e to 
be relatively prime to 4>{N) where N is the RSA modulus used in the protocol. 
This can be achieved by setting £ > n/2 (i.e. e > VN). In typical applications 
(i.e. |A^| = 1024) this is about 512 bits (we can obtain this by setting |P| = 352 
and k, the length of the hash function output, to 160). Since the number of 
iterations to choose vk depends on the length of e, it would be nice to find a way 
to shorten it. 

® This requirement can be relaxed to asking that the distribution has enough min- 
entropy. 

® This is a reasonable assumption that can be made on families built out of a collision- 
resistant hash function (such as SHA-1). See also [18] for analysis of this type of 
function families. 
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If we use safe RSA moduli, then we can enforce that GCD{e, 4>{N)) = 1 by 
choosing e small enough (for 1024-bit safe moduli we need them to be smaller 
than 500 bits). In this case the collision-resistant property will become the limit- 
ing factor in choosing the length. By today’s standards we need k to be at least 
160. So the resulting primes will be « 240 bits long. 

4.2 Identification Protocols 

The main application of our result is the construction of concurrently secure 
identification protocols. In an identification protocol, a prover, associated with 
a public key pk, communicates with a verifier and tries to convince her to be 
the legitimate prover (i.e. the person knowing the matching secret key sk.) An 
adversary tries to mount an impersonation attack, i.e. tries to make the verifier 
accept without knowing the secret key sk. 

The adversary could be limited to interact with the real prover only before 
mounting the actual impersonation attack [21]. On the other hand a more re- 
alistic approach is to consider the adversary a “man-in-the-middle” possibly in 
a concurrent fashion [5]. Clearly such an attacker can always relays messages 
unchanged between the prover and the verifier. In order to make a security def- 
inition meaningful, one defines a successful impersonation attack as one with a 
transcript different from the ones between the attacker and the real prover^. 

It is not hard to see that CNM-POK is indeed a concurrently secure identifi- 
cation protocol. It is important to notice that we achieve full concurrency here, 
indeed the extraction procedure in the proof of Theorem 1 does not “care” if 
there are many other executions in which the adversary is acting as a prover. 
Indeed we do not need to rewind all executions, but only one in order to extract 
the one witness we need. Thus if there are other such executions “nested” inside 
the one we are rewinding, we just run them as the honest verifier. 
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Abstract. In the bare pnblic-key model (BPK in short), each verifier 
is assnmed to have deposited a public key in a file that is accessible by 
all users at all times. In this model, introduced by Canetti et al. [STOC 
2000], constant-round black-box concurrent and resettable zero knowl- 
edge is possible as opposed to the standard model for zero knowledge. As 
pointed out by Micali and Reyzin [Crypto 2001], the notion of soundness 
in this model is more subtle and complex than in the classical model 
and indeed four distinct notions have been introduced (from weakest to 
strongest): one-time, sequential, concurrent and resettable soundness. 

In this paper we present the first constant-round concurrently sound re- 
settable zero-knowledge argument system in the bare public-key model 
for NV. More specifically, we present a 4-round protocol, which is opti- 
mal as far as the number of rounds is concerned. Our result solves the 
main open problem on resettable zero knowledge in the BPK model and 
improves the previous works of Micali and Reyzin [EuroCrypt 2001] and 
Zhao et al. [EuroCrypt 2003] since they achieved concurrent soundness 
in stronger models. 



1 Introduction 

The classical notion of a zero-knowledge proof has been introduced in [1] . Roughly 
speaking, in a zero-knowledge proof a prover can prove to a verifier the validity of 
a statement without releasing any additional information. In order to prove that 
a zero-knowledge protocol does not leak information it is required to show the 
existence of a probabilistic polynomial-time algorithm, referred to as Simulator, 
whose output is indistinguishable from the output of the interaction between the 
prover and the verifier. Since its introduction, the concept of a zero-knowledge 
proof and the simulation paradigm have been widely used to prove the security 
of many protocols. More recently, it has been recognized that in several practical 
settings the original notion of zero knowledge (which in its original formulation 
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only considered one prover and one verifier that carried out the proof proce- 
dure in isolation) was insufficient. For example, the notion of concurrent zero 
knowledge [2] formalizes security in a scenario in which several verifiers access 
concurrently the same prover and maliciously coordinate their actions so to ex- 
tract information from the prover. Motivated by considerations regarding smart 
cards, the notion of resettable zero knowledge (rZK, in short) was introduced 
in [3]. An rZK proof remains “secure” even if the verifier is allowed to tamper 
with the prover and to reset the prover in the middle of a proof to any previous 
state and then asks different questions. It is easy to see that concurrent zero 
knowledge is a special case of resettable zero knowledge and, currently, rZK is 
the strongest notion of zero knowledge that has been studied. Unfortunately, 
if we only consider black-box zero knowledge, constant-round concurrent zero 
knowledge is only possible for trivial languages (see [4]). Moreover, the existence 
of a constant-round concurrent zero-knowledge argument in the non-black-box 
model (see [5] for the main results in the non-black-box model) is currently an 
open question. Such negative results have motivated the introduction of the hare 
public-key model [3] (BPK, in short). Here each possible verifier deposits a public 
key pk in a public file and keeps private the associated secret information sk. 
From then on, all provers interacting with such a verifier will use pk and the 
verifier cannot change pk from proof to proof. Canetti et al. [3] showed that 
constant-round rZK is possible in the BPK model. However, the fact that the 
verifier has a public key means that it is vulnerable to an attack by a mali- 
cious prover that opens several sessions with the same verifier in order to violate 
the soundness condition. This is to be contrasted with the standard models for 
interactive zero knowledge [1] or non-interactive zero knowledge [6] where, as 
far as soundness is concerned, it does not matter whether a malicious prover is 
interacting once or multiple times with the same verifier. 

Indeed, in [7], Micali and Reyzin pointed out, among other contributions, 
that the known constant-round rZK arguments in the BPK model did not seem 
to be sound if a prover was allowed to concurrently interact with several instances 
of the same verifier. In other words, the known rZK arguments in the BPK were 
not concurrently sound. 

Micali and Reyzin gave in [7] a 4-round argument system which is sequentially 
sound {i.e., the soundness holds if a prover can play only sequential sessions) 
and probably is not concurrently sound, and they also showed that the same 
holds for the five-round protocol of Canetti et al. [3] . Moreover they proved that 
resettable soundness cannot be achieved in the black-box model. In [8], Barak 
et al. used non-black-box techniques in order to obtain a constant-round rZK 
argument of knowledge but their protocol enjoys only sequential soundness. 

In order to design a concurrently sound resettable zero-knowledge argument 
system, Micali and Reyzin proposed (see [9]) the upper bounded public-key 
(UPK, in short) model in which a honest verifier possesses a counter and uses 
the same private key no more than a fixed polynomial number of times. A weaker 
model than the UPK model but still stronger than the BPK model is the weak 
public-key (WPK, in short) model introduced in [10]. In this model an honest 
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verifier can use the same key no more than a fixed polynomial number of times 
for each statement to be proved. 

Other models were proposed in order to achieve constant-round concur- 
rent zero knowledge. In particular, in [2, 11] a constant-round concurrent zero- 
knowledge proof system is presented by relaxing the asynchrony of the model or 
the zero-knowledge property. In [12] a constant-round concurrent zero-knowledge 
proof system is presented by requiring a pre-processing stage in which both the 
provers and the verifiers are involved. In [13] a constant-round concurrent zero- 
knowledge proof is presented assuming the existence of a trusted auxiliary string. 
All these models are considered stronger than the BPK model. 

Our results. In this paper we present the first constant-round concurrently sound 
resettable zero-knowledge argument system in the BPK model for AfV. In par- 
ticular we show a d-round argument that is optimal in light of a lower bound for 
concurrent soundness proved in [7]. We stress that our result is the best one can 
hope for in terms of combined security against malicious provers and verifiers if 
we restrict ourselves to black-box zero knowledge, since in this setting simulta- 
neously achieving resettable soundness and zero knowledge has been shown to 
be possible only for languages in BPP by [7]. Our construction employs the tech- 
nique of complexity leveraging used in the previous results [3, 7, 10] in order to 
prove the soundness of their protocols and is based on the existence of a verifiably 
binding cryptosystem semantically secure against subexponential adversaries. 
The existence of cryptographic primitives secure against subexponential adver- 
saries is used also in [3, 7, 10] and the existence of a constant-round black-box 
rZK argument system in the BPK model assuming only cryptographic primitives 
secure against polynomial-time adversaries is an interesting open question. 

Finally, we describe a simple 3-round sequentially sound and sequential zero- 
knowledge argument system in the BPK model for all NV. 

2 Definitions 

The BPK model. The Bare Public-Key (BPK, in short) model assumes that: 

1. there exists a public file F that is a collection of records, each containing a 
public key; 

2. an (honest) prover is an interactive deterministic polynomial-time algorithm 
that takes as input a security parameter 1", F, an n-bit string x, such that 
X € L and L is an NP-language, an auxiliary input y, a reference to an entry 
of F and a random tape; 

3. an (honest) verifier V is an interactive deterministic polynomial-time algo- 
rithm that works in the following two stages: 1) in a first stage on input a 
security parameter 1" and a random tape, V generates a key pair (pk, sk) 
and stores pk in one entry of the file F; 2) in the second stage, V takes as 
input sk, a statement x G L and a random string, V performs an interactive 
protocol with a prover, and outputs “accept” or “reject”; 

4. the first interaction of each prover starts after that all verifiers have com- 
pleted their first stage. 
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Definition 1. Given an NP-language L and its corresponding relation Rl, we 
say that a pair {P,V) is complete for L, if for all n-bit strings x G L and any 
witness y such that {x,y) G Rl, the probability that V interacting with P on 
input y, outputs “rejecf’is negligible in n. 

Malicious provers in the BPK model. Let s be a positive polynomial and P* be 
a probabilistic polynomial-time algorithm that takes as first input 1". 

P* is an s -sequential malicious prover if it runs in at most s(n) stages in the 
following way: in stage 1, P* receives a public key pk and outputs an n-bit string 
xi- In every even stage, P* starts from the final configuration of the previous 
stage, sends and receives messages of a single interactive protocol on input pk 
and can decide to abort the stage in any moment and to start the next one. 
In every odd stage i > 1, P* starts from the final configuration of the previous 
stage and outputs an n-bit string Xi. 

P* is an s-concurrent malicious prover if on input a public key pk of V, 
can perform the following s(n) interactive protocols with V: 1) if P* is already 
running i protocols 0 < i < s(n) he can start a new protocol with V choosing 
the new statement to be proved; 2) he can output a message for any running 
protocol, receive immediately the response from V and continue. 

Attacks in the BPK model. In [7] the following attacks have been defined. 

Given an s-sequential malicious prover P* and an honest verifier V , a se- 
quential attack is performed in the following way: 1) the first stage of V is run 
on input 1" and a random string so that a pair (pk, sk) is obtained; 2) the first 
stage of P* is run on input 1" and pk and xi is obtained; 3) for 1 < z < s(n)/2 
the 2z-th stage of P* is run letting it interact with V that receives as input sk, Xi 
and a random string rj, while the (2z -|- l)-th stage of P* is run to obtain Xi. 

Given an s-concurrent malicious prover P* and an honest verifier V, a con- 
current attack is performed in the following way: 1) the first stage of V is run on 
input 1” and a random string so that a pair (pk, sk) is obtained; 2) P* is run on 
input 1” and pk; 3) whenever P* starts a new protocol choosing a statement, V 
is run on inputs the new statement, a new random string and sk. 

Definition 2. Given a complete pair (P, V) for an NP-language L in the BPK 
model, then (P,V) is a concurrently (resp. sequentially) sound interactive ar- 
gument system for L if for all positive polynomial s, for all s-concurrent (resp 
s-sequential) malicious prover P* , for any false statement “x G L” the proba- 
bility that in an execution of a concurrent (resp. sequential) attack V outputs 
“accept” for such a statement is negligible in n. 

The strongest notion of zero knowledge, referred to as resettable zero knowledge, 
gives to a verifier the ability to rewind the prover to a previous state. This is 
significantly different from a scenario of multiple interactions between prover 
and verifier since after a rewinding the prover uses the same random bits. 

We now give the formal definition of a black-box resettable zero-knowledge 
argument system for MV in the bare public-key model. 
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Definition 3. An interactive argument system {P, V) in the BPK model is 
black-box resettable zero-knowledge if there exists a probabilistic polynomial-time 
algorithm S such that for any probabilistic polynomial time V* , for any polyno- 
mials s, t, for any Xi € L, \xi\ = n, i = 1, . . . , s{n), V* runs in at most t steps 
and the following two distributions are indistinguishable: 

1. the output of V* that generates F with s(ji) entries and interacts (even 
concurrently) a polynomial number of times with each P{xi, yi,j, rk, F) where 
yi is a witness for Xi € L, \xi\ = n and r^ is a random tape for I < i, j, k < 
s{n); 

2. the output of S interacting with V* on input xi, . . . , Xs(n) ■ 

Moreover we define such an adversarial verifier V* as an {s,t)-resetting mali- 
cious verifier. 

An important tool used this paper is that of a non-interactive zero-knowledge 
argument system. 

Definition 4. A pair of probabilistic polynomial-time algorithms (lMiPK,NiVKj 
is a non-interactive zero-knowledge argument system for an NV language L if 
there exists a polynomial k{-), 

1. (Completeness) for all x € L, with |a;| = n and NP-witness y for x € L, 

Pr[a ^ {0, !}'=(”); iT ^ NiPK(a;, y, a) : NiVK(a;, iT, ct) = 1] = 1. 

2. (Soundness) for all x ^ L 

Pr[a ^ {0, 377 : NiVK(a:, 77, a) = 1] 



is negligible. 

3. (Simulatability) there exists a probabilistic polynomial-time algorithm S such 
that the family of distributions 

{(<7, 77) S{x) : (a, 77)},,,^ and {a ^ {0, ; 77 4 NlPK(a;, y, a) : (a, 77)},,,^ 

are computationally indistinguishable. 

We assume, without loss of generality, that a random reference string of length 
n is sufficient for proving theorems of length n (that is, we assume k{n) = n). 

3 Concurrently Sound rZK Argument System for AfT* 
in the BPK Model 

In this section we present a constant-round concurrently sound resettable zero- 
knowledge argument in the BPK model for all AfV languages. 

In our construction we assume the existence of an encryption scheme that is 
secure with respect to sub-exponential adversaries and that is verifiably binding. 
We next review the notion of semantic security adapted for sub-exponential 
adversaries and present the notion of a verifiably binding cryptosystem. 
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An encryption scheme is a triple of efficient algorithms PK = (G, E, D). The key 
generator algorithm G on input a random fc-bit string r (the security parameter) 
outputs a pair (pk, sk) of public and private key. The public key pk is used to 
encrypt a string m by computing E(pk, m; r) where r is a random string of length 
\m\. 

Semantic security [14] is defined by considering the following experiment for 
encryption scheme PK = (G,E,D) involving a two-part adversary A = (Ao,Ai). 
The key generator G is run on a random fc-bit string and keys (pk, sk) are given 
in output. Two POLY(fc)-bit strings loq and u>i are returned by Ao on input pk. 
Then b is taken at random from {0,1} and an encryption ^ of u>b is computed. We 
say that adversary A is successful for PK if the probability that Ai outputs b on 
input pk, loq, u>i and f is non-negligibly (in k) greater than 1 /2. We say that PK is 
rj-secure if no adversary running in time o{2^’’) is successful. The classical notion 
of semantic security is instead obtained by requiring that no polynomial-time 
adversary is successful. 

Roughly speaking, a verifiably binding cryptosystem PK is a cryptosystem for 
which 1) given a string pk and an integer k, it is easy to verify that pk is a legal 
public key with security parameter k and 2) to each ciphertext corresponds at 
most one plaintext. 

More formally. 

Definition 5. An rj-secure encryption scheme PK = (G, E, D) is verifiably bind- 
ing iff: 

1. (binding): for any probabilistic polynomial-time algorithm A it holds that 



Pr[(pk, Too, mi, ro, ri) ^ A{1^) : E(pk, mo; tq) = E(pk, mi; ri)j 



is negligible in k; 

2. (verifiability): there exists a probabilistic polynomial-time algorithm Ver 
such that f/pk belongs to the output space of G on input a k-bit string then 
VER(pk, 1^) = 1; VER(pk, 1^) = 0 otherwise. 

Assumptions. To prove the properties of our protocol we make the following 
complexity theoretic assumptions: 

1. The existence of an ? 7 -secure verifiably binding encryption scheme PK = 
(G, E, D) for some rj > 0. 

We briefly note that the El Gamal encryption scheme [15] is verifiably bind- 
ing since an exponentiation in Z* is one to one and it can be easily verified 
that a positive integer q is a prime. 

2. The existence of a one-to-one length-preserving one-way function / : {0, 1}*^ 
{0, 1}* which, in turn, implies the existence of a pseudo-random family of 
functions TZ = {Rs}. 

3. The existence of a non-interactive zero-knowledge proof system (NIZK, in 
short) (NiPm, NiVm) for an AfT^-complete language. 
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4. The existence of a 3-round witness indistinguishable argument of knowledge 
WI = (WIi, WI 2 , WI 3 ) for a specific polynomial-time relation that we define 
in the following way. Let / be a one-to-one length-preserving one-way func- 
tion and let PK be an 77 -secure verifiably binding encryption scheme. Then 
define the polynomial-time relation C = (^(PK, /) as consisting of all pairs 
((pk, w), (wit)), where pk is a public key of the output space of G and u is a 
string and either wit = sk and (pk, sk) is in the output space of G or wit = u 
and f{u) = V. 

Before describing our protocol formally, let us try to convey the main idea 
behind it. Fix an AfV language L and let x be the input statement. The prover 
generates a puzzle (in our construction, the puzzle consists of a string v and 
solving the puzzle consists in finding the inverse of the one-to-one length- 

preserving one-way function /) and sends it to the verifier. The verifier uses WI 
to prove knowledge of the private key sk^ associated to her public key pk^ or 
knowledge of the solution of the puzzle given to her by the prover. Moreover, 
the prover and the verifier play a coin tossing protocol, based on the encryption 
scheme PK to generate a reference string for the NIZK proof that x G L. 

In our implementation of the FLS-paradigm [16], in the interaction between 
the prover and the verifier, the verifier will use his knowledge of the private key 
to run WI. In order to prove concurrent soundness, we show an algorithm A that 
interacts with a (possibly) cheating prover P* and breaks an ry-secure encryption 
scheme in time The puzzle helps algorithm A in simulating the verifier 

with respect to a challenge public key pk for which it does not have access to the 
private key. Indeed, A instead of proving knowledge of the private key associated 
to pk proves knowledge of the solution of the puzzle by performing exhaustive 
search. By carefully picking the size of the puzzle (and thus the time required 
to solve it) we can make sure A runs in time o( 2 ^'’). 

Note that when A inverts the one-to-one length-preserving one-way function 
and computes the witness-indistinguishable argument of knowledge, it runs in 
subexponential time in order to simulate the verifier without performing rewinds. 
Straight-line quasi-polynomial time simulatable argument systems were studied 
in detail in [17], where this relaxed simulation notion is used to decrease the 
round complexity of argument systems. We use a similar technique but for sub- 
exponential time simulation of arguments of knowledge. 

If the steps described above were executed sequentially, we would have an 
8 -round protocol (one round for the prover to send the puzzle, three rounds 
for the coin tossing, three rounds for the witness-indistinguishable argument of 
knowledge, and one round for the NIZK). However, observe that the coin-tossing 
protocol and the 3-round witness-indistinguishable argument of knowledge can 
be performed in parallel thus reducing the the round complexity to 5 rounds. 
Moreover, we can save one more round, by letting the prover send the puzzle 
in parallel with the second round of the witness indistinguishable argument of 
knowledge. To do so, we need a special implementation of this primitive since, 
when the protocol starts, only the size of the statement is known and the state- 
ment itself is part of the second round. Let us now give the details of our con- 
struction. 
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The public file. The public file F contains entries consisting in public keys with 
security parameter k for the public-key cryptosystem PK. 

Private inputs. The private input of the prover consists of a witness y for x G L. 
The private input of the verifier consists of the secret key sk^ corresponding to 
the public key pk^. 

The protocol. Suppose that the prover wants to prove that x € L and denote 
by n = poly(/c) the length of x. We denote by i the index of the verifier in the 
public file so that the verifier knows the private key ski associated with the f-th 
public key pk- of the public file F. 

In the first round V randomly picks an n-bit string cr„ that will be used as 
y’s contribution to the reference string for the non-interactive zero-knowledge 
protocol. V compute the encryption ^ of cr^ using an n-bit string as random- 
ness and by using public key pk^. Moreover, V runs WIi in order to compute the 
first message oi of the witness-indistinguishable argument of knowledge. Then 

V sends (^, oi) to P. In the second round P verifies that pk^ is a legal public key 
for PK with k as security parameter and then computes its contribution to the 
random string to be used for the non-interactive argument by picking a random 
seed s and computing {u, ap) = Rs{x oyoFo^oaioi) (“o” denotes concate- 
nation) where {Rs} is a family of pseudorandom functions. The string u has 
length k' < k (to be determined later) whereas ap has length n and is P’s con- 
tribution for the reference string. P runs WI2 to compute the second message 02 
of the witness-indistinguishable argument of knowledge. Moreover P computes 

V = f{u) where / is a one-to-one length-preserving one-way function and sends 
{ap, 02, v) to the verifier. In the third round of the protocol V uses his knowledge 
of the private key to run WI3 obtaining as, so that she proves that she knows ei- 
ther the private key associated with pk^ or f~^{v). V then sends 03, cr„ and to 
P. In the last round of the protocol P verifies that the witness-indistinguishable 
argument of knowledge is correct and that ^ is an encryption of ay . Then P runs 
algorithm NiPm on input x and using a = ap (B ay as reference string obtaining 
a proof lip that is sent to V. A more formal description of the protocols is found 
in Figure 1 . 

Theorem 1. If there exists an rj-secure verifiably binding encryption scheme, 
a one-to-one length-preserving one-way function then there exists a constant- 
round concurrently sound resettable zero-knowledge argument for all languages 
in MV in the BPK model. 

Proof. Consider the protocol found in Figure 1 . 

Completeness. If x G L then P can always compute the proof 11 and V accepts 
it. 

Concurrent soundness. Assume by contradiction that the protocol is not con- 
currently sound. Thus there exists an s-concurrent malicious prover P* that by. 
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Common input: the public file F, n-bit string x £ L and index i that 
specihes the i-th entry of F. Public key pk^ has security parameter k. 
P’s private input: a witness y for x £ L. 

K’s private input: private key ski. 

K-round-1: 

1. randomly pick cr„ ^ {0, 1}" and r„ ^ {0, 1}"; 

2. compute 5 = E(pk^, <t„; r„) and ai =WIi(l*^); 

3. send (^, a\) to P; 

P-round-2: 

1. verify that pk^ is a public key with security parameter k for PK; 

2. randomly pick s ^ {0, 1}" and compute R — Rs{xoyo F o^oaioi)-, 
let u be the string consisting of the first k' bits of R and ap the 
string consisting of the next n bits of P; 

3. compute U2 = Wl2(ai); 

4. compute v = f(u) where / is a one-to-one length preserving one- 
way function; 

5. send (ap,a 2 ,v) to V', 

K-round-3: 

1. verify that u is a fc'-bit string; 

2. set a — ap (B av’, 

3. run algorithm WI3 on input instance (pk^,u), messages 01,02 using 
ski as a witness and obtaining 03; 

4. send (av,a 3 ,rv) to P; 

P-round-4: 

1. verify that ^ = E(pk-, cr„; r„); 

2. set a — ap (B a^; 

3. verify that (01,02,03) is the correct transcript of the 3-round wit- 
ness indistinguishable argument on input instance (pk^,u); 

4. run NiPm on input instance x, y as a, witness and a as reference 
string obtaining proof P; 

5. send II to V\ 

K-decision: verify that II is a proof by running algorithm NiVm on 
input X, n and a. 



Fig. 1. The 4-round concurrently sound rZK argument system for MV in the BPK 
model. The values k and k' are determined as functions of n in the proof of concurrent 
soundness. 



concurrently interacting with V, has non-negligible probability p{n) of making 
the verifier accept some x ^ L oi length n. We assume we know the index of 
the session j* in which the prover will succeed in cheating (this assumption will 
be later removed) and exhibit an algorithm A that has black-box access to P* 
{i.e., A simulates the work of a verifier V) and breaks the encryption scheme PK 
in 0(2^’’) steps, thus reaching a contradiction. 

We now describe algorithm A. A runs in two stages. First, on input the 
challenge public key pk, A randomly picks two strings loq and uji of the same 
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length as the length of the reference string used by (NiPm,NiVm) for inputs of 
length n. Then A receives as a challenge an encryption ^ of ujb computed using 
public key pk and b G {0, 1}. ^’s task is to guess b G {0, 1} with a non-negligible 
advantage over 1 /2 (we assume that b is randomly chosen) . 

For all the sessions, A interacts with the an s-concurrent prover P* mounting 
a concurrent attack, and simulates the verifier by computing the two messages 
as explained below. When A reaches session j*, A outputs her guess for bit b. 

1. Session j yf j*. 

At V-round-l, A sends an encryption ^ of a randomly chosen string cr„ 
computed with as randomness and sends the first round of the witness- 
indistinguishable argument of knowledge oi. Upon receiving message (cTp, 
a 2 ,v) from P*, A inverts the one-to-one length-preserving one-way function 
f on V obtaining u = by performing exhaustive search in {0, 1}^ . A 

then computes 03 by running WI3 on input instance (pkj,ti) and witness u 
and sends to P* the triple {ay,a^,ry). 

Note that A plays round U-round-1 identically to the honest verifier while 
A plays round U-round-3 by using a different witness w.r.t. V for the non- 
interactive zero-knowledge argument of knowledge that however is concur- 
rent witness indistinguishable. 

2. Session j*. 

At U-round-1, A computes the first message of the witness-indistinguishable 
argument of knowledge oi and sets ^ equal to the challenge encryption 
Then A sends (^, ai) to V. 

At U-round-3, A cannot continue with this session since she does not know 
the decryption of ^ (remember that C = f thus can not play the third 
round. However, by assumption P* can produce with non-negligible prob- 
ability a string 7T* that is accepted by NiVm on input x and reference 
string pI = cob (B <Jp. Let r be an upper bound on the length of such a 
non-interactive zero- knowledge argument. A checks, by exhaustive search, if 
there exists Uq G {0, l}"^, such that NiVm accepts Uq on input x and Pq as 
reference string. Then A searches for a string 7Ti G {0, 1}'^ by considering 
p* as reference string. If a proof II q is found and no proof 77i is found then 
A outputs 0; in the opposite case A outputs 1; otherwise (that is, if both or 
neither proof exists) A randomly guesses the bit b. 

We note that the distribution of the first message of session j* is still identical 
to the distribution of the honest verifier’s message. 

Let us now show that the probability that A correctly guesses b is non- 
negligibly larger that 1/2. We have that 

Pr[A outputs b] = Pr[3IIbA filli-b] + i {Pr[3IIb A -|- Pr[flIIbA filli-b]) 

= 1 + 1 iPrl^IIb/\ fiPi-b] - PrlfiPb A 377i-i,l) 

= ^ ^ {Pr[3IIbA jBIIi-b Ax ^ L]- Pr[flIIb A 377i_i, A x ^ L]) . 
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The last equality follows from the observation that, by the completeness of the 
NIZK, the events ,37Ti_h and ^Ub can happen only \i x ^ L. Now, we have 

Pr[A outputs b] = ^ + -(PrpTTf, A x ^ L] — Pr[3IIb A 37Ti_h A x ^ L] — 

Pr[^IIb A 37Ti_h Ax ^ L]) 

1 p{n) Pr[3iTi_h Ax ^ L] 

^ 2 ^ 2 ■ 

Now, since the string Wi_f, is picked at random and P* has no information 
about it, the string is random and thus, by the soundness of (NiPm,NiVm), 
Pr[3IIi-b A a: ^ P] is negligible. Therefore, the probability that A correctly 
guesses b is non-negligibly larger than 1/2. 

We note that algorithm A takes time POLY(n)-(2'^-|-2^ ). Writing r as r = rP , 
for some constant 7, we pick k and k' so that n'*' < and k' < k^^"^ . We thus 
have that A breaks an 77 -secure verifiably binding cryptosystem in time bounded 
by poly(/c’'/^)( 2 '"’'^^ +2^"''^) = 0 ( 2 '=''). 

Therefore the existence of A contradicts the /^-security of the cryptosystem. 

In our proof we assumed that A knows the value j . If this is not the case that 
A can simply guess the values and the same analysis applies and the probability 
that A correctly guesses b decreases by a polynomial factor. 

Resettable Zero Knowledge. Let V* be an (s, t)-resetting verifier. We now present 
a probabilistic polynomial-time algorithm S = that has black-box access to 
V* and whose output is computationally indistinguishable from the view of the 
interactions between P and V* . 

We start with an informal discussion. The construction of S is very similar 
to the construction of the simulator for the constant-round (sequentially sound) 
resettable zero-knowledge argument for any NP language and in the BPK model, 
given in [3] (protocol 6.2). In particular, note that both the protocol of Figure 1 
and protocol 6.2 in [3] can be abstractly described as follows. The prover and 
the verifier run a 3-round argument of knowledge, where the verifier, acting as 
a prover, proves knowledge to the prover, acting as verifier, of some trapdoor 
information. Knowledge of the trapdoor information allows for efficient simula- 
tion of the interaction between the prover and the verifier. In [3], the trapdoor 
information is the private key associated with the verifier’s public key. In our 
protocol, the trapdoor information is either the private key associated with the 
verifier’s public key (for the real verifier) or the inverse of an output of a one-to- 
one length-preserving one-way function sent from the prover to the verifier. Note 
that just to obtain round optimality we use a special witness-indistinguishable 
argument of knowledge where the statement is known only after that the second 
round is played while its size is known from the beginning. Due to this difference, 
our simulator only differs from the one of [3] in the fact that we need to prove 
that when the simulator runs the extractor of the argument of knowledge, with 
high probability it extracts the verifier’s private key (rather than f~^(v)). The 
rest of the construction of our simulator is conceptually identical to that of [3], 
but we still review a more precise description here for completeness. 
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First of all, without loss of generality, we make the following two simplifying 
assumptions. Recall that, since our protocol is a resettable zero-knowledge ar- 
gument system, V* is allowed to reset the prover. However, in [3] Canetti et al. 
proved that in such a setting a verifier that concurrently interacts with many in- 
carnations of the prover does not get any advantage with respect to a sequential 
(resetting) verifier (that is, a verifier that runs a new session only after having 
terminated the previous one). Thus in this proof we will consider V* as a se- 
quential (resetting) verifier. A second assumption is that we can define S for a 
modification of our protocol in which the prover uses a truly random function 
rather than a pseudo-random one to compute her random bits. Proving that the 
two views are computationally indistinguishable is rather standard. 

S runs the first stage of V* so that the public file composed by s(n) entries 
is obtained. In the second stage, the aim of the simulator is to obtain the private 
keys corresponding to the public keys of the public file. Let V*{F) be the state 
of V* at the end of the first stage. 

In the following, we say that a session is solved by S' if S' has the private key 
corresponding to the public key used by V* in this session. The work of S in the 
second stage of the simulation is composed by at most s(n) + 1 sequential phases. 
In each phase, either S has a chance of terminating the simulation or S learns 
one more private key. At the end of each phase S rewinds V* to state V*(F). 
The simulation ends as soon as S manages to solve all sessions of a phase. 

We describe now the work of S during a phase. Once a session is started, 
S receives the first message from V*. Then there are two cases. If the session 
is solved by S then S can simulate the prover; otherwise, S tries to obtain the 
private key used in this session so that all future sessions involving this verifier 
will be solved by S. 

Specifically, first consider the simpler case of a solved session. We distinguish 
two sub-cases. First, we consider the sub-case where the first message in the 
session (^, ai) has not appeared before for the same incarnation of the prover, 
i.e., (^,oi) has not appeared before for the same prover oracle accessed by V* 
with the same random tape, same witness and same theorem. Then S runs the 
simulator for (NiPm,NiVm) on input x and obtains a pair {a*,U*) and then 
forces a equal to cr* in the following way. Since S knows the verifier’s secret-key 
(we are assuming in this sub-case that the session is solved), S can decrypt ^ 
and thus obtain the string computed by the verifier at the first round. Thus 
S sets CTp = cr„ 0 cr*. Consequently, in round P-round-4, S will send “proof” 
7T* (that is computationally indistinguishable from the proof computed by the 
real prover). We use here the binding property of the encryption scheme since 
S must decrypt ^ obtaining the same value cr„ that will be sent by V* in round 
R-round-3. 

Now we consider the sub-case where the first message in the session (^,oi) 
has already appeared in such a phase for the same incarnation of the prover. Here 
S sends the same strings CTp, 02 and the same fc'-bit string v that was sent in the 
previous session containing (^,Oi) as first message for the same incarnation of 
the prover. Even for the case of the third message of a session that has already 
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appeared for the same incarnation of the prover, S replies with the same round 
P-round-4 played before. 

We now consider the harder case of a session which is not solved by S'. In this 
case S uses the argument of knowledge of V* to obtain the private key used in 
this session. Specifically, in any unsolved session, the simulator uses the extractor 
E associated with the witness-indistinguishable argument of knowledge used by 
the verifier. 

Recall that we denote by (^, ai) the first message sent by the verifier in the 
current session, by pk^ the verifier’s public key and by u = /(u) the puzzle sent 
by the simulator when simulating the prover ’s first message. We now distinguish 
three possible cases. 

Case 1: The message (^, m) has not yet appeared in a previous session for 
the same incarnation of the prover and the extractor E obtains sk^ as witness. 
Note that S obtains the verifier’s private key by running E. This is the most 
benign of the three cases since the session is now solved. 

Case 2: The message (^, oi) has not yet appeared in a previous session for the 
same incarnation of the prover and the extractor E obtains as witness. 

Note however that the value v has been chosen by S itself. If this case happens 
with non-negligible probability then we can use V* to invert the one-way function 
/. We stress that this case is the only conceptual difference between our proof 
and the proof of rZK of protocol 6.2 in [3]. 

Case 3: The message (^, oi) has already appeared in a previous session for the 
same incarnation of the prover. Note that since we are assuming that the current 
session is not solved by S', this means that in at least one previous session, V* 
sent (^ 1 , ai) but then did not continue with such a session. This prevents S from 
simulating as in case 2 since the simulation would not be correct. (Specifically, as 
discussed in [3], in a real execution of the argument, the pseudo-random string 
used as random string for the prover’s first message is determined by the previous 
uncompleted session (the input of Rg is the same in both cases and the seed s 
is taken from the same random string) and therefore cannot be reset by S to 
simulate this case by running an independent execution of E.) This problem is 
bypassed precisely as in [3]. That is, S tries to continue the simulation from the 
maximal sequence of executions which does not contain (^,ai) as a first step of 
the verifier for such an incarnation of the prover, using a new random function. 

The same analysis in [3] shows that this simulation strategy ends in expected 
polynomial time and returns a distribution indistinguishable from a real execu- 
tion of the argument. □ 

3-Round WI Argument of Knowledge. As already pointed out above, we can save 
one round (and thus obtain a 4-round argument system instead of 5-round one) 
by having the prover send the puzzle after the verifier has started the witness- 
indistinguishable argument of knowledge. In this argument of knowledge, the 
verifier acts as a prover and shows knowledge of either the secret key associated 
with his private key or of a solution of the puzzle. Consequently, the input 
statement of such an argument of knowledge is not known from the start and 
actually, when the first message is produced, only its length is known. 
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Next we briefly describe such an argument of knowledge by adapting to our 
needs the technique used by [16] to obtain a non-interactive zero-knowledge proof 
system for Hamiltonicity. 

1. The prover commits to n randomly generated Hamiltonian cycles (each edge 
is hidden in a committed adjacency matrix of degree n); 

2. the graph G is presented to the prover and the verifier and verifier sends an 
n-bit random challenge; 

3. if the z-th bit of the challenge is 0 then the prover opens the z-th Hamiltonian 
cycle; 

4. if the z-th bit of the challenge is 1 then the prover sends a permutation tti 
and shows that each edge that is missing in the graph ni{G) corresponds to 
a commitment of 0 in the z-th committed Hamiltonian cycle. 

Completeness, soundness and witness indistinguishability can be easily verified. 
The protocol is an argument of knowledge since an extractor that rewinds the 
prover and changes the challenge obtains a Hamiltonian cycle of G. 

4 Sequentially Sound Sequential Zero Knowledge for AfV 
in the BPK Model 

In this section we give a 3-round sequentially sound sequential zero-knowledge 
argument in the BPK model for any language in AfV. 

Assumptions. We start by listing the tools and the complexity-theoretic assump- 
tions we need for the construction of this section. 

1. We assume the existence of an ? 7 -secure signature scheme SS = (SigG, Sig, 
Ver). Here SigG denotes the key generator algorithm that receives the secu- 
rity parameter k (in unary) and returns a pair (pk, sk) of public keys; Sig 
is the signature algorithm that takes as input a message m and a private 
key sk and returns a signature s of m; and Ver is the signature verification 
algorithm that takes a message m, a signature s and a public key pk and 
verifies that s is a valid signature. 

The scheme SS is ? 7 -secure in the sense that no algorithm running in time 
o{2^’’) that has access to a signature oracle but not to the private key can 
forge the signature of a message m for which it has not queried the oracle. 
It is well known that if sub-exponentially strong one-way functions exist then 
it is possible to construct secure signature schemes [18]. 

We assume that signatures of /c-bit messages produced by using keys with 
security parameter k have length k. This is not generally true as for each 
signature scheme we have a constant a such that signatures of fc-bit messages 
have length k°‘ but this has the advantage of not overburdening the notation. 
It is understood that all our proofs continue to hold if this assumption is 
removed. 
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2. We assume the existence of a one-round perfectly binding computationally 
hiding 7-extractable commitment scheme. The scheme is 7-extractable in the 
sense that there exists an extractor algorithm E that on input a commitment, 
computes in time 0(2^^) the committed value. 

Such a commitment schemes are known to exist under the assumption of the 
existence of sub-exponentially strong one-to-one length-preserving one-way 
functions. 

3. We also assume the existence of ZAPs for all AfV (see [19]). 

In sums, our construction is based on the existence of subexponentially strong 
one-to-one length preserving one-way functions and one-way trapdoor permuta- 
tions. 

We start by briefly describing the main idea of our protocol. The prover 
and the verifier play the following game: the prover picks a random message 
mi, computes a commitment mi of mi and asks the verifier to sign mi; the 
verifier signs the commitment and sends back to the prover such a signature 
and a message m2. Finally the prover, constructs an extractable commitment 
com of a random message and proves to the verifier using a ZAP that either 
X € L or com is the extractable commitment of a signature of a commitment 
of m2. Let us now informally argue about sequential soundness and sequential 
zero- knowledge of the argument system described. For the sequential soundness, 
we observe that, since m2 is chosen at random by the verifier for each sequential 
execution of the protocol, it is unlikely that the prover knows the signature of 
a commitment of m2. For the zero-knowledge property instead, the simulator, 
once m2 is received, rewinds V* and opens a new session with the verifier in 
which he sets mi = m2, computes a commitment of mi = m2 and sends it to 
the verifier that thus produces a signature of a commitment of m2 . Going back 
to the original session, the simulator has a witness for the ZAP and can thus 
complete the simulation. 

Theorem 2. If there exist subexponentially strong one-to-one length-preserving 
one-way functions and trapdoor permutations then there exists a 3-round sequen- 
tially sound sequential zero-knowledge argument for AfV in the BPK model. 

Proof. Completeness and Sequential soundness can be easily proved. For the 
Sequential Zero Knowledge, we now describe a simulator S. We consider a ma- 
licious verifier V* that in the first stage outputs the public file F and in the 
second stage interacts with P by considering s(n) possible theorems and s(n) 
possible entries of F. However V* is now a sequential verifier and thus he cannot 
run twice the same incarnation of P, neither he can run two concurrent sessions 
with P. Thus the simulation proceeds session by session and we can focus only 
in the simulation of a generic session. 

Let Vf be the state of V* at the beginning of a given session. The simulator 
sends in the first round a message that is distributed identically w.r.t. the one 
of the prover. Then V* replies by sending a message m2, let V 2 * the state of V* 
in such a step. The simulator rewinds V* to state Vi* and plays again the first 
round but this time he sets mi = m2. The simulator repeats this first round 
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with a different randomness as long as the verifier sends a valid second message 
that therefore contains a signature of a commitment of m2. The simulator can 
use the signature of a commitment of m2 as witness for the third round of the 
original proof, that can be given by rewinding V* to state ¥2- More precisely, 
S rewinds V* to state V2 and computes d as a commitment of a commitment 
of m2 and 6 as a commitment of the previously received signature. Then S has 
a witness for playing the ZAP. 

The previously described rewind strategy allows the simulator to complete 
the simulation in expected polynomial-time and, moreover, the indistinguisha- 
bility of the ZAP and the hiding of the commitment scheme guarantee that the 
distribution of the output is computationally indistinguishable from an interac- 
tion between a real prover and V* . 

We remark that it is possible to base our construction on primitives secure 
against polynomial-time adversaries by employing a 3-round witness indistin- 
guishable argument where the statement is chosen by the prover before produc- 
ing the third message. 

5 Conclusions 

In an asynchronous environment like the Internet resettable zero-knowledge pro- 
tocols that are not concurrently sound in the BPK model cannot be considered 
secure and previous concurrently sound protocols required stronger assumptions 
than the BPK model. 

In this work we have positively closed one of the main open problems regard- 
ing zero knowledge in the BPK model. We have shown that a constant-round con- 
currently sound resettable zero-knowledge argument system in the BPK model 
exists. In particular, we have shown a d-round protocol which is optimal for the 
black-box model. 
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Abstract. The concept of zero-knowledge (ZK) has become of funda- 
mental importance in cryptography. However, in a setting where entities 
are modeled by quantum computers, classical arguments for proving ZK 
fail to hold since, in the quantum setting, the concept of rewinding is 
not generally applicable. Moreover, known classical techniques that avoid 
rewinding have various shortcomings in the quantum setting. 

We propose new techniques for building quantum zero-knowledge (QZK) 
protocols, which remain secure even under (active) quantum attacks. 
We obtain computational QZK proofs and perfect QZK arguments for 
any NP language in the common reference string model. This is based 
on a general method converting an important class of classical honest- 
verifier ZK (HVZK) proofs into QZK proofs. This leads to quite practical 
protocols if the underlying HVZK proof is efficient. These are the hrst 
proof protocols enjoying these properties, in particular the hrst to achieve 
perfect QZK. 

As part of our construction, we propose a general framework for building 
unconditionally hiding (trapdoor) string commitment schemes, secure 
against quantum attacks, as well as concrete instantiations based on 
specihc (believed to be) hard problems. This is of independent interest, 
as these are the hrst unconditionally hiding string commitment schemes 
withstanding quantum attacks. 

Finally, we give a partial answer to the question whether QZK is possible 
in the plain model. We propose a new notion of QZK, non-oblivious 
verifier QZK, which is strictly stronger than honest-veriher QZK but 
weaker than full QZK, and we show that this notion can be achieved by 
means of efficient (quantum) protocols. 



1 Introduction 

Since its introduction by Goldwasser, Micali and Rackoff [14], the concept of 
zero-knowledge (ZK) proof has become a fundamental tool in cryptography. In- 
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formally, in a ZK proof of a statement, the verifier learns nothing beyond the 
validity of the statement. In particular, everything the verifier can do as a result 
of the interaction with the prover during the ZK proof, the verifier could also 
do “from scratch”, i.e., without interacting with the prover. This is argued by 
the existence of an efficient simulator which produces a simulated transcript of 
the execution, indistinguishable from a real transcript. ZK protocols exist for 
any NP language if one-way functions exist [2,3,15], also more efficient solu- 
tions are known for specific languages like Quadratic-Residuosity [14] or Graph- 
Isomorphism [15]. 

From a theoretical point of view, it is natural to ask whether such classical 
protocols are still secure if cheating players are allowed to run (polynomial time 
bounded) quantum computers. But the question also has some practical rele- 
vance: although quantum computers may not be available to the general public 
in any foreseeable future, even a single large scale quantum computer could be 
used to attack the security of existing protocols. 

To study this question, two issues are important. First, the computational 
assumption on which the protocol is based must remain true even if the adversary 
is quantum. This rules out many assumptions such as hardness of factoring or 
extracting discrete logs [23], but a few candidates still remain, for instance some 
problems related to lattices or error correcting codes. In general, it is widely 
believed that quantum one-way functions exist, i.e., functions that are easy to 
compute classically, but hard to invert, even on a quantum computer. 

A second and more difficult question is whether the proof of security remains 
valid against a quantum adversary. A major problem in this context comes from 
the fact that in the classical definition of ZK, the simulator is allowed to rewind 
the verifier in order to generate a simulated transcript of the protocol execution. 
However, if prover and verifier are allowed to run quantum computers, rewinding 
is not generally applicable, as it was originally pointed out by Van de Graaf [27]. 
We discuss this in more detail later, but intuitively, the reason is that when 
a quantum computer must produce a classical output, such as a message to 
be sent, a (partial) measurement on its state must be done. This causes an 
irreversible collapse of the state, so that it is not generally possible to reconstruct 
the original state. Moreover, copying the verifier’s state before the measurement 
is forbidden by the no-cloning theorem. Therefore, protocols that are proven 
ZK in the classical sense using rewinding of the verifier may not be secure with 
respect to a quantum verifier. This severe breakdown of the classical concept of 
ZK in a quantum world is the motivation of this work. 

It is well known that rewinding can cause “problems” already in a classi- 
cal setting. In particular, it has been realized that rewinding the verifier limits 
the composability of ZK protocols. As a result, techniques have been proposed 
that avoid rewinding the verifier, for instance the non-black-box ZK technique 
from [1] , or “ in the common reference string model ~ techniques providing con- 
current ZK [13,22,9], non-interactive ZK [4] or universally-composable (UG) 
ZK [5,6,11] and related models [21]. One might hope that some of these ideas 
would translate easily to the quantum setting. 
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However, the non-black box technique from [1] is based on the simulator us- 
ing the verifier’s program and current state to predict its reaction to a given 
message. Doing so for a quantum verifier will collapse its state when a measure- 
ment is done to determine its next message, so it is not clear that this technique 
will generalize to a quantum setting. The known constructions of UCZK pro- 
tocols and non-interactive ZK are all based on computational assumptions that 
are either false in a quantum setting or for which we have no good candidate 
for concrete instantiations: the most general sufficient assumption is the exis- 
tence of one-way trapdoor permutations (i.e. as far as we know) but all known 
candidates are easy to invert on a quantum computer. Regardless of this type 
of problem, great care has to be taken with the security proof: despite the fact 
that the simulator in the UC model must not use rewinding, it is not true that 
a security proof in the UC model automatically implies security against quan- 
tum adversaries - we discuss this in more details later in the paper. Finally, the 
technique for concurrent ZK from [9] avoids rewinding the verifier but instead 
rewinds the prover to prove soundness, leading to similar problems. 

Before describing our results, we note that quantum zero-knowledge proof 
systems were already studied from a complexity theoretic point of view by Wa- 
trous in [26]. The proof systems considered there all assume the prover to be 
computationally unbounded and the zero-knowledge condition is only enforced 
against honest verifiers. Clearly, these restrictions make those proof systems 
unsuitable for cryptographic applications. In this paper, we focus on efficient 
quantum zero-knowledge protocols in a cryptographic setting. 

We propose three distinct techniques applicable to an important class of 
(classical) honest-verifier ZK (HVZK) proofs (in which the verifier is guaranteed 
to follow the protocol), namely so-called U-protocols (3-move public-coin pro- 
tocols). We convert such protocols into quantum zero-knowledge (QZK) proofs, 
which are ZK (as well as sound) even with respect to (active) quantum attacks. 
In all cases, the new proof protocol proceeds in three moves like the underly- 
ing U-protocol, and its overhead in terms of communication is reasonable. To 
the best of our knowledge, these are the first (practical) zero-knowledge proofs 
withstanding active quantum attacks. 

The first technique assumes the existence of an unconditionally hiding trap- 
door string commitment scheme (secure against quantum attacks) and can be 
proven secure in the common-reference-string (CRS) model. It requires only clas- 
sical computation and communication and achieves perfect or statistical QZK, 
assuming the underlying U-protocol was perfect or statistical HVZK, and is an 
interactive argument (computationally sound). The communication overhead of 
the new QZK protocol in comparison with the underlying V-protocol is essen- 
tially given by communicating and opening one string commitment. The tech- 
nique directly implies perfect or statistical QZK arguments for NP. 

This first approach requires addressing the problem of constructing uncondi- 
tionally hiding and computationally binding trapdoor string commitment 
schemes withstanding quantum attacks. This is non-trivial since the classical 
definition of computational binding cannot be used for a quantum adversary as 
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it was pointed out in [12] with respect to bit commitments and in [8] with respect 
to string commitments. In fact, it was not even clear how computational binding 
for a string commitment should be defined. In [8], a computational binding con- 
dition was introduced with their application in mind but no concrete instance 
was proposed. 

We propose a new definition of computational binding that is strong enough 
for our (and other) applications. On the other hand, we propose a generic 
construction for schemes satisfying our definition based on special-sound 17- 
protocols for hard-to-decide languages, and we give examples based on concrete 
intractability assumptions. Our construction yields the first unconditionally hid- 
ing string commitment schemes withstanding quantum attacks, under concrete 
as well as under general intractability assumptions. Moreover, since our defini- 
tion implies the one from [8] , our schemes can be used to provide secure quantum 
oblivious transfer. 

The second technique assumes the existence of any quantum one-way func- 
tion and is also secure in the CRS model. It requires classical communication 
and computation and produces computational QZK interactive proofs for any 
NP language. It can be efficiently instantiated under more specific complexity 
assumptions. 

The last technique requires no computational assumption and is provably se- 
cure in the plain model (no CRS). However, it requires quantum computation and 
communication and does not achieve full QZK but what we call non-oblivious 
verifier QZK. This new notion is weaker than QZK but strictly stronger than 
honest- verifier QZK (as defined in [26]). Essentially, a non-oblivious verifier may 
arbitrarily deviate from the protocol but still generates all private and pub- 
lic classical random variables available to the honest verifier according the same 
distribution. The (quantum) communication complexity of the non-oblivious ver- 
ifier QZK proof essentially equals the (classical) communication complexity of 
the underlying 27-protocol. 

The paper is organized as follows. In Sect. 2, we introduce some relevant 
notations. We also argue why rewinding causes a problem in a quantum setting 
and why UCZK does not imply QZK. In Sect. 3, we define and construct the 
unconditionally hiding (trapdoor) commitment schemes used in Sect. 4 for QZK 
proofs in the common-reference-string model. Finally, the non-oblivious verifier 
QZK proof in the plain model is presented in Sect. 5. 

Due to space limitations, some descriptions and discussions appear in a short- 
ened form in this proceedings version, they appear in full in the full version [10]. 

2 Preliminaries 

2.1 Zero-Knowledge Interactive Proofs 

The Classical Case: We assume the reader to be familiar with the classical 

notions of (HV)ZK interactive proofs (and arguments) and of (special-sound) 
27-protocols. We merely fix some notation and terminology here. For an intro- 
duction to these concepts we refer to the full version of this paper [10] or to the 
literature. 
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Let R = {(a;, w)} be a binary relation. Write La = {x | : {x,w) G R} for 

the language defined by R. For x G L/j, any w such that (x, w) € R is called 
a witness (for x G L), and we write Wr{x) = {w \ (x,w) G R} for the set of 
witnesses for x G L. We assume that the size of the witnesses for x G L are 
polynomially bounded by the size of x, and that R is poly-time testable. 

We refer to a L'-protocol (P, V) for a language L by a triple (a, c, z), where we 
understand a, c and z as the processes of choosing/computing the first message 
a, the (random) challenge c and the corresponding answer z, respectively, as 
specified by the protocol (with some input x € L), and we write a ^ a, c ^ c 
and z ^ c), respectively, for the execution of these processes. Furthermore, 

we write verify for the verification predicate which is applied by V and whose 
output accept or reject, respectively 0 or 1, determines whether V should 
accept the proof or not. We stress that when considering a computationally 
bounded (honest) prover P as we do here the answer z is typically not computed 
by P as a function of a, c and x (as the notation z ^ Zx{a,c) might suggest), 
but rather as a function of the randomness used to generate a, of the challenge 
c and of a witness w G Wr{x). Per default, we understand a F'-protocol to 
be unconditionally sound. Clearly, for a fixed x ^ L, the soundness error e of 
such a L7-protocol is given by the maximum over all possible first messages a of 
the fraction of the possible challenges c for a that allow an answer z which is 
accepted by V. 

It is known that statistical ZK H-protocols only exist for languages L G 
co-AM. Most of the well-known A-protocols are proof-system for languages that 
are trivial on a quantum computers. However, some languages like graph isomor- 
phism (i.e. GI) have special sound A-protocols and are not known to be trivial 
on a quantum computer. This is also the case for some recently proposed lattice 
problems [19]. It is not known whether co-AM can be efficiently recognized by 
a quantum computer. 

The Quantum Case: ZK quantum interactive proof systems are defined as the 
natural generalization of their classical counterpart and were introduced and first 
studied by Watrous [24,26]. Quantum ZK (QZK) is defined as for the classical 
case except that the quantum simulator is required to produce a state that 
is exponentially close, in the trace-norm sense, to the verifier’s view. Formal 
definitions for QZK proof systems can be found in the full version [10]. 

2.2 The Problem with Quantum Rewinding 

Rewinding a party to a previous state is a common proof technique for showing 
the security of many different kinds of protocols in the computational model. 
In general, this technique cannot be applied when the party is modeled by a 
quantum computer. Originally observed by Van de Graaf [27], this implies that 
security proofs of many well-established classical protocols do not hold if one 
party is running a quantum computer even if the underlying assumption under 
which the security proof holds withstands quantum attacks. 

Rewinding is in general not possible since taking a snapshot of a quantum 
memory is tantamount to quantum cloning. Unlike in the classical case, there 
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is no way to copy a quantum memory regardless of what the memory contains. 
The only generic way to restore a quantum memory requires to re-generate it 
from scratch. Proceeding that way may not be possible efficiently. 

One consequence of the no quantum rewinding paradigm is particularly rel- 
evant to us. Sequential repetitions of an HVZK i7-protocol for a language L 
results in a ZK protocol for L with negligible soundness error. It follows that 
this straightforward construction is not guaranteed to be secure against quantum 
verifiers. 

Another example is the use of rewinding for proving secure applications of 
computationally binding commitment schemes. Such a security proof is done by 
showing that an attacker that breaks the application can be used to compute two 
different openings of a commitment and thus to break the binding property of 
the commitment scheme. This reduction, however, requires typically to rewind 
of the attacker, and thus by the no quantum rewinding paradigm does not yield 
a valid security proof in a quantum setting. 

More details can be found in the full version [10]. 

2.3 UCZK Does Not Imply QZK 

In [5] , Canetti proposes a new framework for defining and proving cryptographic 
protocols secure: the universal composability (UC) framework. This framework 
allows to define and prove secure cryptographic protocols as stand-alone proto- 
cols, while at the same time guaranteeing security in any application by means 
of a general composition theorem. The UC security definition essentially requires 
that the view of any adversary attacking the protocol can be simulated while 
in fact running an idealized version of the protocol, which essentially consists 
of a trusted party called ideal functionality. The simulation should be indistin- 
guishable for any distinguisher, called environment, which may be on-line, and 
provides the inputs and receives the outputs. Furthermore, the UC definition 
explicitly prohibits rewinding of the environment and thus of the adversary (as 
it may communicate with the environment). This restriction is crucial for the 
proof of the composition theorem. We refer to [5] for more details. 

Since the UC framework forbids rewinding the adversary, it seems that UCZK 
implies QZK, assuming the underlying computational assumption withstands 
quantum attacks. This intuition is false in general. The reason being that even 
though the UC framework does not allow the simulator to rewind the adversary, 
it is still allowed to use rewinding as a proof-technique in order to show that the 
simulator produces a “good” simulation. For instance, it is allowed to argue that 
if an environment can distinguish the simulation from a real protocol execution, 
then by rewinding the environment together with the adversary one can solve 
efficiently a problem assumed to be hard. We illustrate this on a concrete example 
in [10]. 

3 Unconditionally Hiding (Trapdoor) Commitments 

In this section we study and construct classical (trapdoor) commitment schemes 
secure against quantum attacks. In contrast to quantum commitment schemes. 




260 



Ivan Damgard, Serge Fehr, and Louis Salvail 



such schemes do not require quantum computation (in order to compute, open 
or verify commitments), but they are guaranteed to remain secure even under 
quantum attacks. Our construction, which is based on hard-to-decide languages 
with special-sound i7-protocols, yields the first unconditionally hiding string 
commitment schemes withstanding quantum attacks. In Sect. 4, we use these 
commitments to construct QZK proofs. A further application of our commitment 
schemes is given in [10], where it is shown how they give rise to quantumly secure 
oblivious transfer. 

3.1 Defining Security in a Quantum Setting 

Informally, by publishing a commitment C = commitpfe(s, p) for a random p, 
a commitment scheme allows a party to commit to a secret s, such that the 
commitment C reveals nothing about the secret s {hiding property) while on the 
other hand the committed party can open C to s by publishing (s, p) but only 
to s {binding property). 

Formally, a commitment scheme (of the kind we consider) consists of two 
poly-time algorithms: A key-generation algorithm Q which takes as input the se- 
curity parameter £ and specifies an instance of the scheme by generating a public- 
key pk, and an algorithm commit which allows to compute C = commitpfc(s, p) 
given a public-key pk as well as s and p chosen from appropriate finite sets S and 
TZ (specified by pk). S is called the domain of the commitment scheme. Classi- 
cally, the hiding property is formalized by the non-existence of a distinguisher 
which is able to distinguish C = commitpfe(s, p) from C = commitpfe(s', p') with 
non-negligible advantage, where s,s' G S are chosen by the distinguisher and 
p, p' GTZ are random. On the other hand, the binding property is formalized by 
the non-existence of a forger able to compute s,s' G S and p, p' G TZ such that 
s ^ s' but commitpfe(s, p) = commitpfe(s, p'). If the distinguisher respectively the 
forger is restricted to be poly-time, then the scheme is said to be computation- 
ally hiding respectively binding, while without restriction on the distinguisher 
respectively the forger, it is said to be unconditionally hiding respectively bind- 
ing. 

In order to define security of such a commitment scheme (tj, commit) in a 
quantum setting, the (computational or unconditional) hiding property can be 
adapted in a straightforward manner by allowing the distinguisher to be quan- 
tum. The same holds for the unconditional binding property, which is equivalent 
to requiring that every C uniquely defines s such that C = commitpfc(s, p) for 
some p. However, adapting the computational binding property in a similar man- 
ner simply by allowing the forger to be quantum results in a too weak definition. 
The reason being that in order to prove secure an application of a commitment 
scheme, which is done by showing that an attacker that breaks the application 
can be transformed in a black-box manner into a forger that violates the binding 
property, the attacker typically needs to be rewound, which cannot be justified 
in a quantum setting by the no-quantum-rewinding paradigm as discussed in 
Sect. 2.2. The following definition for the computational binding property of a 
commitment scheme with respect to quantum attacks is strong enough to prove 
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secure applications (as in Sect. 4 and in [10]) based on the security of the un- 
derlying commitment scheme, but it is still weak enough in order to prove the 
binding property for concrete commitment schemes (see Sect. 3.2 and 3.3). 

Let (5, commit) be a commitment scheme as introduced above, and let S 
denote its domain. Informally, we require that it is infeasible to produce a 
list of commitments and then open (a subset of) them in a certain specified 
way with a probability significantly greater than expected. We formalize this 
as follows. Let Q be a predicate of the following form. Q takes three inputs: 
(1) a non-empty set A C {1, . . . , N} where N is upper bounded by a polyno- 
mial in £, (2) a tuple = (si)jgA with Si € S, and (3) an element u G U 
where U is some finite set; and it outputs Q{A, sa,u) G {0,1}. We do not 
require Q to be efficiently computable. Consider a polynomially bounded quan- 
tum forger T in the following game: T takes as input pk, generated by Q, 
and announces commitments Ci, . . . ,Cn. Then, it is given a random u G hi, 
and it outputs A, = {si)i^A and Pa = {pi)ieA- hF is said to win the 
game if Q{A, sa,u) = 1 and Ci = commitpfc(si, pi) for every i G A. We re- 
quire that every forger has essentially the same success probability in win- 
ning the game as when using an ideal (meaning unconditionally binding) com- 
mitment scheme (where every Ci uniquely defines Si). In the latter case, the 
success probability is obviously given by p^eal = max^g^w \satQ{s)\/\U\ with 
satQ{s) = {u G hi \ 3 A : Q{A, sa, u) = 1}, where stands for the restriction of 
s to its coordinates Si with i G A. la. this definition, Q models a condition that 
must be satisfied by the opened value in order for the opening to be useful for 
the committer. For each application scenario, such a predicate can be defined. 

Definition 1. A commitment scheme (5, commit) is called computational Q- 
binding if for every predicate Q, every polynomially bounded quantum forger T 
wins the above game with probability Preal = PmsAL + adv, where adv, the advantage 
of F, is (negative or) negligible (in £). 

It is not hard to verify that in a classical setting (where F is allowed to 
be rewound), the classical computational binding property is equivalent to the 
above computational Q-binding property. Furthermore, it is rather obvious that 
the computational Q-binding property for a commitment scheme with domain 
S implies the computational Q-binding property for the natural extension of the 
scheme to the domain (for any k) by committing componentwise. Note that 
this desirable preservation of the binding property does not hold for the binding 
property introduced in [8]. 

Finally, we define a trapdoor commitment scheme^ as a commitment scheme 
in the above sense with the following additional property. Besides the public- 
key pk, the generator Q also outputs a trapdoor r which allows to break either 
the hiding or the binding property. Specifically, if the scheme is unconditionally 
binding, then r allows to efficiently compute s from C = commitpfc(s, p), and if 
it is unconditionally hiding, then r allows to efficiently compute commitments 
C and correctly open them to any s. 

^ Depending on its flavor, a trapdoor commitment scheme is also known as an ex- 
tractable respectively as an equivocable or a chameleon commitment scheme. 
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3.2 A General Framework 

In this section, we propose a general framework for constructing unconditionally 
hiding and computationally Q-binding (trapdoor) string commitment schemes. 
For that, consider a language L = Lr and assume that 

1. L admits a (statistical) HVZK special-sound i7-protocol II = (a,c,z) 

2. there exists an efficient generator ^yes generating x G L together with a 
witness w € Wr{x) (more precisely, Qy^s takes as input security parameter I 
and outputs x & L oi bit size t and w G Wr{x)), and 

3. for all poly-size quantum circuits D and polynomials p{€) > 0, if f is large 
enough then there exists x„o ^ L of bit size t such that for Xy^s generated by 
tjyes (on input f) 

I Pr (F>(a:yes) = yes) - Pr (F>(a;no) = yes)| < l/p(^). 

Note that 3. only requires that for every distinguisher D it is hard to distinguish 
a randomly generated yes-instance x G L from some no-instance x ^ L, which 
in particular may depend on T>. 

Given such L, the construction in Fig. 1 provides an unconditionally hiding 
trapdoor commitment scheme. We assume that c samples challenge c randomly 
from {0, 1}* for some t. 



Q is given by 6yes, where the generated x £ L Is parsed as public key pk and 
w € Wr{x) as trapdoor r. The domain S is defined to be <S = {0, 1}*. 

commitpfc: To commit to s € S = {0, 1}*, use the HVZK simulator for U to 
generate (a, c, z). Set C = (a, s © c) to be the commitment for s. 

A commitment C = (a,d) is opened to s by announcing the corresponding 
values c and a, and such an opening is accepted if and only if s © c = d and 
verify,,, (a, c, z) = accept. 



Fig. 1. Trapdoor commitment scheme (C/, commit). 



If n is special HVZK, meaning that (a, c, z) can be simulated for a given c, 
then the commitment scheme can be slightly simplified: (a, c, z) is generated 
such that c = s and C is simply set to be C = a. 

Theorem 1. Under assumption 3., (5, commit) in Fig. 1 is an unconditionally 
hiding and computationally Q-binding trapdoor commitment scheme. 

^ As will become clear, the prover’s efficiency in the X'-protocol does not influence 
the efficiency of the resulting commitment scheme as far as the committer and the 
receiver are concerned. An efficient prover is only required if one wants to take 
advantage of the trapdoor. 
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As will become clear from the proof below, if the underlying A-protocol U 
is perfect HVZK, then (5, commit) is perfectly binding in the sense that there 
exists no distinguisher with non-zero advantage, meaning that a commitment C 
for s is statistically independent of s. 

Proof It is clear that a correct opening is accepted. It is also rather obvious that 
the scheme is unconditionally hiding: The distribution of (a, c, z) generated by 
the HVZK simulator is statistically close to the distribution of (a, c, z) generated 
by the protocol. There, however, c is chosen independently of a. Therefore, a 
gives essentially no information on c and thus C = (a, s 0 c) gives essentially no 
information on s (as s 0 c acts as a one-time pad). The trapdoor property can 
be seen as follows. Knowing the trapdoor t = w, put C = (a,d) where a ^ a 
and d is randomly sampled from {0,1}*. Given arbitrary s € {0,1}*, compute 
c = d (B s and z ^ Zx(a,c) using the witness w (and the randomness for the 
generation of a). It is obvious that (s,c,z) opens C correctly to s. 

It remains to show the computational Q-binding property. We show that if 
there exists a forger IF that can break the Q-binding property of the commit- 
ment scheme (without knowing the trapdoor) for some predicate Q according to 
Definition 1, then there exists a circuit T> that contradicts assumption 3. I? is 
illustrated in Figure 2 and is quantum if and only if IF is. 



T>: The input is x, either in L or not in L. 

1. Invoke tF with public- key pk = x in order to get commitments Ci, . . . ,Cn , 

2. Pick random u £lA and announce it to F, 

3. F announces A C {1, . . . , A^} and, for i £ A, tries to open Ci to Si such 
that Q{A,sa,u) = 1 for sa = (si)i6A, 

4. Verify the openings and whether indeed Q[A, sa,u) = 1, if successful then 
output yes and otherwise no. 



Fig. 2. Distinguisher T> for x £ L versus x ^ L. 



If X is generated by ^yes then pk = x is a, valid public-key for the commitment 
scheme with the right distribution and thus Pr {T>{x) = yes) = p^^^^ = adv 

where adv is iF’s advantage. On the other hand, if a; ^ L, then by the special 
soundness property of 77, given a there is only one c that allows an answer z 
such that verify „,(a, c, z) = accept. Hence, for any Ci there is only one Si G 5 to 
which Ci can be successfully opened. Therefore, Pr (V(x) = yes) < p,oeal- If adv 
is (positive and) non-negligible, then this contradicts 3. □ 

We would like to point out once more that our definition of the (computa- 
tional) binding property inherits the following feature. If a commitment scheme 
with domain S is computational Q-binding, then its natural extension to a 
commitment scheme with domain by committing componentwise (with the 
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same pk) is also computational Q-binding. In particular, any computational Q- 
binding hit commitment scheme gives rise to a computational Q-binding string 
commitment scheme. 



3.3 Concrete Instantiations 

We propose three concrete languages which are believed to be hard to de- 
cide as required in the above section and which admit HVZK special-sound 
i7-protocols. The first language is based on a problem from coding theory: the 
Code-Equivalence (CE) problem. It requires to decide whether two generator 
matrices generate the same code up to a permutation of the coordinates, and it 
is known to be at least as hard (in the worst case) as the Graph-Isomorphism 
(GI) problem. Furthermore, it admits a similar T'-protocol as GI. Finally, and 
in contrast to GI, there is a generator believed to produce hard yes-instances. 
More details are given in [10]. 

The next two languages are gap versions of the famous lattice problems 
Shortest- Vector and Closest- Vector, where the no-instances are promised to be 
“not too close” to the yes-instances. V-protocols for these problems were recently 
proposed in [19], where the generation of hard instances is also addressed. Again, 
more details are given in [10]. 

These languages give rise to concrete instantiations of the commitment 
scheme developed in the above section, based on concrete computational as- 
sumptions. 

4 Quantum Zero-Knowledge Proofs 

4.1 Common-Reference-String Model 

The common-reference-string (CRS) model assumes that there is a string a (hon- 
estly) generated according to some distribution and available to all parties from 
the start of the protocol. In the CRS model, an interactive proof (or argument) 
is (Q)ZK if there exists a simulator which can simulate the (possibly dishonest) 
verifier’s view of the protocol execution together with a CRS cr having correct 
joint distribution as in a real execution. 



4.2 Efficient QZK Arguments 

We show how to convert any HVZK V-protocol into a quantum zero-knowledge 
(QZK) argument. The construction is based on a trapdoor commitment scheme 
and can be proven secure in the CRS model. 

It is actually very simple. P and V simply execute the V-protocol, but instead 
of sending message a in the first move, P sends a commitment to a, which he 
then opens when he sends the answer z to the challenge c in the third move. The 
zero-knowledge property then follows essentially by observing that the simulator 
(who knows the trapdoor of the commitment scheme) can cheat in the opening 
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of the commitment. So far, the strategy for the QZK proof is the same as in 
Damgard’s concurrent ZK proof [9]; the proof of soundness however will be 
different since [9] requires to rewind the prover, which cannot be justified in 
our case by the no-quantum-rewinding paradigm. In order not to rely on the 
special HVZK property (as introduced and explained in Sect. 3.2), the protocol 
is slightly more involved than sketched here, though the idea remains. 

Let a HVZK V-protocol II = (a,c, z) for a language L = Lr be given. Let 
e denote its soundness error. We assume without loss of generality that a and c 
sample first messages a and challenges c of fixed bit lengths r and t, respectively. 
Furthermore, let an unconditionally hiding and computationally Q-binding trap- 
door commitment scheme {Q, commit) be given (where the knowledge of the 
trapdoor allows to break the binding property of the scheme). We assume that 
its domain S contains {0, 1}’’+*. Consider Protocol 1 illustrated in Fig. 3. 



Protocol 1: V has input x, claimed to be in L; P has input x and w € Wr(x). 
The CRS is set to be pk where pk is generated by Q. 

1. P computes a ^ a and chooses cp <— c. Then it commits to the concate- 
nation a||cp of a and cp by C = commitpfc(a||cp, p), and sends C to V. 

2. V chooses cv ^ c and sends it to P. 

3. P computes 2 <— Zx{a, c) for c = cp (B cv and sends (a, cp, p) and 2 to V. 

4. V accepts iff C = commit(a||cp, p) and verify ,„(a, cp © cv, z) = accept. 



Fig. 3. QZK proof protocol in the CRS model. 



As mentioned above. Protocol 1 can be slightly simplified in case II is special 
HVZK in that P commits to a (rather than to a||cp) and computes z with respect 
to the challenge c = cy provided by V. 

Theorem 2. Under the assumption that (5, commit) is an unconditionally hid- 
ing and computationally Q-hinding trapdoor commitment scheme, Protocol 2 is 
a QZK (quantum) argument for L in the CRS model. Its soundness error is 
e' = e + negl where negl is negligible (in the security parameter). 

Concerning the flavor of QZK, Protocol 2 is computational QZK if the under- 
lying V-protocol n is computational HVZK, and it is statistical QZK provided 
that n is statistical or perfect HVZK. In case {Q, commit) is perfectly (rather 
than unconditionally) hiding, the flavor of QZK of Protocol 2 is exactly given 
by the flavor of HVZK of II. 

Proof. As mentioned above, the zero-knowledge property is rather straight for- 
ward: The simulator generates a public- key for the commitment scheme together 
with a trapdoor and outputs the public- key as CRS. Then, on input x € L, it 
generates a commitment C (which he can open to an arbitrary value using the 
trapdoor) and sends it to V. On receiving cy from V, the simulator simulates 
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an accepting conversation (a, c, z) for the original if-protocol using the HVZK 
property, it sets cp = c (B cv and computes p such that C = commit(a||cp, p) 
using the trapdoor, and it sends (a,cp,p) and z to V. 

For the soundness property, it has to be shown that given a (quantum) prover 
P, which succeeds in making (honest) V accept the proof for an x ^ L with a 
probability exceeding e by a non-negligible amount, P can be used to break 
the Q-binding property of the commitment scheme for some predicate Q. Fix 
X ^ L. We define Q as follows. = 1, and U is given by the set of all possible 
challenges cy sampled by c. For s G S and u = cy G U, where s is parsed as 
s = a\\cp with a G {0,1}’’ and cp G {0,1}*, we set Q({l},s,u) = 1 if and only 
if the challenge c = cp (B cy for the first message a allows an answer z such 
that verify^ (a, c, z) = accept. Note that A = {1} is the only legitimate choice 
for A. By construction of Q, making V accept the proof means that P opens C 
(correctly) to a||cp such that Q({1}, a||cp, cy) = 1. Furthermore, p,deal = c- It 
follows that if P succeeds in making V accept the proof with probability greater 
that e by a non-negligible amount, then P is a forger T that breaks the Q-binding 
property of (5, commit). This completes the proof. □ 

4.3 QZK Arguments for All of NP 

Consider a (generic) ZK argument for an AP-complete language using (ordinary) 
unconditionally hiding commitments. For instance, consider the classical inter- 
active proof for Circuit-Satisfiability due to Brassard, Chaum and Crepeau [3]: 
the prover “scrambles” the wires and the gates’ truth tables of the circuit and 
commits upon it, and he answers the challenge c = 0 by opening all commit- 
ments and showing that the scrambling is done correctly and the challenge c = 1 
by opening the (scrambled) wires and rows of the gates’ truth tables that are 
activated by the satisfying input. Following the lines of the proof of Theorem 2 
above, it is straightforward to prove that replacing the commitment scheme in 
this construction by an unconditionally hiding and computationally Q-binding 
commitment scheme results in a QZK argument in the CRS model for Circuit- 
Satisfiability, and thus for all languages in NP. 

4.4 Computational QZK Proofs 

We sketch how to construct rather efficient computational QZK proofs for lan- 
guages that allow (computational) H’VZK A'-protocols based on specific in- 
tractability assumptions, as well as computational QZK proofs for all of NP 
based on any quantum one-way function. 

Consider any of the languages L = Lp with H’VZK 27-protocol on which 
the commitment construction from Sect. 3.2 is based, except that we allow the 
27-protocol to be computational HVZK. Assume in addition that there is also a 
generator Q^o that produces no-instances that cannot be distinguished from the 
yes-instances produced by Qy^s- 

Then, put a no-instance Xno in the reference string. The prover can now 
prove any statement S that can be proved by an HVZK 27-protocol 77 by us- 
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ing a standard witness-indistinguishable HVZK proof for proving that S is true 
or Xno e L [7]. Here, we allow the if-protocol 77 to be computational HVZK, 
in particular 77 might be the V-protocol for Circuit-Satisfiability sketched in 
Sect. 4.3 above but based on an unconditionally binding and computationally 
hiding commitment scheme (secure against quantum attacks), which can be con- 
structed from any (quantum) one-way function (see below) . 

This is clearly unconditionally sound, and can be simulated, where the sim- 
ulator uses a yes-instance Xyes in place of Xno and uses its witness w € Wn{xyes) 
to complete the protocol without rewinding. A distinguisher would have to con- 
tradict the HVZK property of one of the underlying V-protocols, or the indis- 
tinguishability of yes- and no-instances. 

This can be instantiated efficiently if we are willing to assume about the 
coding or lattice problem or some other candidate problem that it also satisfies 
this stronger version of indistinguishability of yes- and no-instances. But it can 
also be instantiated in a version that can be be based on any one-way function: 
First, the (unconditionally binding and computationally hiding) commitment 
scheme of Naor [20] is also secure against quantum adversaries, and exists if 
any one-way function exists. So consider the language of pairs {pk, O) where pk 
is a public- key for the commitment scheme and O is a commitment of 0. This 
language has a computational HVZK V-protocol using generic ZK techniques, 
driven by Naor’s commitments. Furthermore, the set of no-instances {pk, E) 
where 77 is a commitment to 1 is easy to generate and hard to distinguish from 
the yes-instances. 

5 Relaxed Honest- Verifier Quantum Proofs 

It is a natural question whether QZK proof systems exist without having to 
rely upon common reference strings. In this section, we answer this question 
partially. We define a quantum interactive proof system associated to any 77- 
protocol. Our scheme is QZK against a relaxed version of honest verifiers that 
we call non-oblivious. Intuitively, a non-oblivious verifier is a verifier having 
access to the same classical variables than the honest verifier. We show that any 
HVZK 77-protocol can be turned into a non-oblivious verifier QZK proof using 
quantum communication. 

5.1 Quantum Circuits for TJ-Protocols 

Assume L = Lr has a classical HVZK 77-protocol 77 = (a,c, z). We specify 
unitary transforms Zx{a), and Tx{a), depending on a <— a, which implement 
quantum versions of the computations specified by z and verify. Throughout, we 
assume without loss of generality that c samples c uniformly from {0, 1}* for 
some t. 

The answer z <— Za,(a, c) to challenge c when a was announced during the 
first round can be computed quantumly through some unitary transform Zx{a) 
depending upon the initial announcement a. That is, provided quantum registers 
P and X, we have: 

Zx{a) : |c)^ \y)^ ^ |c)^ \y 0 z,^,(a, c))^. 
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Similarly, the testing process performed by V can also be executed by a quan- 
tum circuit Tx{a) depending on the announcement of a. Transformation Tx{a) 
stores the output of the verification process in an extra one-qubit register T : 

Tx{a) : \z)^ |c)^ |t)^ i-^ \z)^ \c)'^ \t 0 verify ,,(a, c, z))^. 

If z <— Zx{a, c) and verify ,,, (a, c, z) can be classically computed in polynomial time 
(given the randomness of the computation of a and a witness w G Wn(x) for 
the former), circuits Zx{a) and Tx{a) can be implemented by poly-size quantum 
circuits. 

5.2 EPR-Pairs Based Proofs 

The idea behind the protocol is as follows. P chooses a ^ a and sends the 
answer to all possible challenges in quantum superposition to V. V then verifies 
quantumly that all answers in the superposition are correct. In a further step, 
P convinces V that the state contains the answer to more than one challenge. 
Since U is assumed to be special sound, it follows that x G L. 

Concretely, P starts by choosing a *— a and by preparing t EPR pairs in 

= ^ |c)^|c)^ = 2-‘/2 ^ |c)^|c)r. (1) 

cG{0,l}* cG{0,l}* 

The two equivalent ways of writing \Qt) shows that it exhibits the same corre- 
lation between registers P and V in both the computational and the diagonal 
bases. This property will be used later in the protocol. Now, P adds an extra 
register X initially in state |0)'^ before applying Zx{a) upon registers P and X. 
This results in state, 

\^a) = 2-‘/2 ^ Zx{a) \cf |0)^ 0 |c)^ = 2-‘/2 ^ \cf |z)^ 0 |c)^, (2) 

cG{0,l}* cG{0,l}* 

where every z in the superposition is computed as z ^ Zx(a,c). P then announces 
a and sends registers V and X to V allowing him to apply the verification 
quantum circuit Tx(a) after adding an extra register T initially in state |0)^. 
That is, 

= (^pZ>Tx(a))lipa}lO}^ = 2-^''^ \c)^ ®Tx{a)\z)^\c)^\Q)'^ 

cG{0,l}* 

= 2-‘/2 ^ |c)^0|z)^|c)^|verify,,(a,c,z))^=|V'a)0|O)^. 

cG{0,l}* 

V then measures register T in the computational basis and rejects if |0)^ is not 
observed. Provided P was honest, the test will always be successful by assumption 
on the original 27-protocol 77, and the verification process does not affect the 
state IV'a)- V then returns register X back to P, who can recover t shared EPR 
pairs by running Zx{a)^ , the inverse of Zx{a). Finally, P measures register P in 
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the diagonal basis and announces the outcome to V. V does the same to register 
V and verifies that the same outcome is obtained. By the properties of EPR 
pairs (1), it follows that the measurements coincide provided P was honest. A 
compact description of the protocol is given by Protocol 2 in Fig. 4. 



Protocol 2: V has input x, claimed to be in L; P has input x and w € Wr(x). 

1. P compntes a hrst message a <— a and prepares the quantum state 

|c)'^ as in (2) where « <— Zx(a,c), and he 
sends a and the registers X and V to V, 

2. V rnns the verihcation circnit Tx{a) and rejects if a non-zero outcome is 
obtained. If the test was snccessful then V retnrns register X to P, 

3. P runs (Zx{ay <8> Iv)|'*/'a) = ® |0)^, measures the P register in the 

diagonal basis and announces the outcome cp € {0, 1}* to V. 

4. V accepts iff register V measured in the diagonal basis produces outcome 
cv = Cp. 



Fig. 4. Non-oblivions veriher QZK proof. 



5.3 Soundness 

Consider x ^ L. We show that in Protocol 2, any prover P has probability at 
most 2“* to convince V, given that II is special sound. Let a be announced 
by P at step 1. By the special soundness property of II, if P passes the test 
at step 2. then the state shared between P and V is of the following form: 
\ipa) = |c)^|0)^, where c is the unique challenge that can be answered 

given the announcement of a. Since after register X has been sent back to P, 
register V is in pure state, it follows that only one answer is possible when V is 
measured in the computational basis. That is, |c) is guaranteed to be observed. 
However, V’s final test involves a measurement of that same register in the 
diagonal basis, and it is easy to see that the outcome of a measurement in the 
diagonal basis applied to |c) is uniformly distributed over {0,1}*. This is a special 
case of the entropic uncertainty relations [18]. It follows: 

Theorem 3. If II is a special-sound HVZK E-protocol for language L = Lr 
where c samples in {0, 1}*, then Protocol 2 is a quantum interactive proof for L 
with soundness error 2“*. 

It should be mentioned that II being special sound is not a strict necessary 
condition for Protocol 2 to be sound. A more careful analysis can handle the 
case where 77 is “not too far away” from special sound. For simplicity, in this 
paper we only address the case of special sound A-protocols. 

5.4 Non-oblivious Verifier Quantum Zero-Knowledge 

Classical A-protocols with large challenges are not known to be ZK against a 
dishonest verifier. This is due to the fact that rewinding allows the simulator 
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to succeed only if it has a non-negligible probability to guess the challenge that 
the verifier will pick. This is true even with respect to verifiers that submit a 
uniformly distributed challenge c G {0,1}* and are able to do the verification 
test as prescribed. To see this, let a : {0, 1}^ ^ (0, 1}^ be a one-way permutation 
and let us assume for simplicity that t = £ and a samples a from {0,1}*. If V 
announces challenge c = a0(r(m) for random m G {0, 1}^ and a ^ a announced 
by P as first message, then the simulator must generate {a, c, z,m) since it is 
part of V’s view. However, the simulator typically can compute a only after 
having picked c, which means that it has to compute m as m = a~^ {c(B a) . Note 
that even though c 0 a is not necessarily uniformly distributed, it seems that 
the simulator has typically not enough control over the value c 0 a in order to 
compute m. 

Notice that a verifier V acting as described above rejects a false statement 
with the same probability and chooses the challenge c with the same distribution 
as an honest verifier, yet there is no known efficient simulator for V. In this 
section we show that Protocol 2 is quantum zero-knowledge provided that V is 
non-oblivious of the value cy needed for the verification at step 4. More generally, 
we define non-oblivious verifiers the following way: 

Definition 2. A verifier V is said to be non-oblivious if it produces the same 
(public and private) variables as honest V according the same distribution. 

As illustrated above, in contrast to an honest verifier a non-oblivious verifier 
can produce his variables in an arbitrary manner, as long as they are correctly 
distributed. 

In Protocol 2, a non-oblivious verifier V has access to the string cy so it can 
be made available to the simulator. Indeed, this allows to produce a simulation of 
the interaction between P and V. It is straightforward to verify that the simulator 
described in Fig. 5 generates the same view as when V interacts with P: 



Simulator: Input is x G L. 

1. Run the HVZK simulator for 77 in order to get triplet (o, c, z), and send a 
together with the quantum state \c)\z) to V, 

2. If V rejects P then halt, otherwise throw away the state sent by V, 

3. Extract cy using the non- obliviousness of V and announce cp = cy. 



Fig. 5. Simulator for Protocol 2. 



Theorem 4. Protocol 2 built from a special-sound ( statistical /perfect) HVZK 
S -protocol n is (statistical/perfect) QZK provided V is non-oblivious. 

A weaker assumption about V’s behavior would be obtained if the only con- 
straint was that V detects false statements with the same probability as the 
honest verifier V. Let us say that such a verifier is verification-enabled. In gen- 
eral, a verification-enabled verifier V is not necessarily non-oblivious since in 
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order to verify P’s announcement, cp does not necessarily have to be deter- 
mined by V without P’s help. However, it can be shown that for i7-protocols 
with challenges of polylogarithmic size, any verification-enabled V in Protocol 2 
is also non-oblivious. 



Acknowledgements 

The authors are grateful to Claude Crepeau for having introduced the problem 
to one of us and discussed its relevance. We would also like to thank Jesper 
Nielsen for enlightening discussions. 



References 

1. Barak, B., How to Go Beyond the Black-box Simulation Barrier, in 42th Annual 
Symposium on Foundations of Computer Science (FOCS), 2001. 

2. Brassard, G., and C. Crepeau, Zero-Knowledge Simulation for Boolean Cir- 
cuits, in Advances in Cryptology - CRYPTO 86, Lecture Notes in Computer 
Science, vol. 263, Springer- Verlag, 1987. 

3. Brassard, G., D. Chaum, and C. Grepeau, Minimum Disclosure Proofs of 
Knowledge, JGSS, 37(2), 1988. 

4. Blum, M., P. Feldman and S. Micali, Non-Interactive Zero-Knowledge and 
Its Applications, in 20th Annual Symposium on Theory Of Gomputing (STOG), 
1988. 

5. Ganetti, R., Universally Composable Security: A New Paradigm for Crypto- 
graphic Protocols, in 42th Annual Symposium on Foundations of Gomputer Sci- 
ence (FOGS), 2001. 

6. Ganetti, R., and M. Fischlin, Universally Composable Commitments, in Ad- 
vances in Gryptology - CRYPTO 01, Lecture Notes in Computer Science, 
vol. 2139, Springer- Verlag, 2001. 

7. Cramer, R., I. Damgard, and B. Schoenmakers, Proofs of Partial Knowledge 
and Simplified Design of Witness Hiding Protocols, in Advances in Cryptology - 
CRYPTO 94, Lecture Notes in Computer Science, vol. 839, Springer- Verlag, 1994. 

8. Crepeau, C., P. Dumais D. Mayers and L. Salvail, Computational Collapse of 
Quantum State with Application to Oblivious Transfer, in Advances in Cryptology 
- TCC 04, Lecture Notes in Computer Science, vol. 2951, Springer- Verlag, 2004. 

9. Damgard, L, Efficient Concurrent Zero-Knowledge in the Auxiliary String 
Model, in Advances in Cryptology - EUROCRYPT 00, Lecture Notes in Com- 
puter Science, vol. 1807, Springer- Verlag, 2000. 

10. Damgard, I.,S. Fehr, and L. Salvail, Z ero-Knowledge Proofs and String Com- 
mitments Withstanding Quantum Attacks, full version of this paper, BRICS report 
nr. RS-04-9, available at www.brics.dk/RS/04/9, 2004. 

11. Damgard, L, and J. Nielsen, Perfect Hiding and Perfect Binding Universally 
Composable Commitment Schemes with Constant Expansion Factor, in Advances 
in Cryptology - CRYPTO 02, Lecture Notes in Computer Science, vol. 2442, 
Springer- Verlag, 2002. 

12. Dumais, P., D. Mayers, and L. Salvail, Perfectly Concealing Quantum Bit 
Commitment From Any Quantum One-Way Permutation, in Advances in Cryp- 
tology - EUROCRYPT 00, Lecture Notes in Computer Science, vol. 1807, 
Springer- Verlag, 2000. 




272 



Ivan Damgard, Serge Fehr, and Louis Salvail 



13. Dwork, C., M. Naor, and A. Sahai, Concurrent Zero-Knowledge, in 30th An- 
nual Symposium on Theory Of Computing (STOC), 1998. 

14. Goldwasser, S., S. Micali, and C. Rackoff, The Knowledge Complexity of 
Interactive Proof Systems, in 17th Annual Symposium on Theory Of Computing 
(STOC), 1985. 

15. Goldreich, O., S. Micali, and A. Wigderson, Proofs that Yield Nothing 
but their Validity, or All Languages in NP Have Zero-Knowledge Proof Systems, 
J. AGM., 38(3), 1991. 

16. Fiat, A., and A. Shamir, How to Prove Yourself: Practical Solutions to the 
Identification and Signature Problem, in Advances in Gryptology - GRYPTO 86, 
Lecture Notes in Gomputer Science, vol. 263, Springer- Verlag, 1987. 

17. Kitaev, a., and J. Watrous, Parallelization, Amplification, and Exponential 
Time Simulation of Quantum Interactive Proof Systems, in 32nd Annual Sympo- 
sium on Theory of Computing (STOC), 2000. 

18. Maassen, H., and J.B.M. Uffink, Generalized Entropic Uncertainty Relations, 
Phys. Rev. Letters, vol. 60, 1988. 

19. Micciancio, D., and S. P. Vadhan, Statistical Zero-Knowledge Proofs with 
Efficient Provers: Lattice Problems and More, in Advances in Cryptology - 
CRYPTO 03, Lecture Notes in Computer Science, vol. 2729, Springer- Verlag, 
2003. 

20. Naor, M., Bit Commitment Using Pseudorandomness, Journal of Cryptology, 
vol. 4, no. 2, 1991. 

21. Pfitzmann, B., and M. Waidner, Composition and Integrity Preservation of 
Seeure Reactive Systems, in 7th ACM Conference on Computer and Communica- 
tions Security, 2000. 

22. Richardson, R. and J. Kilian, On the Concurrent Composition of Zero- 
Knowledge Proofs, in Advances in Cryptology - EUROCRYPT 99, Lecture Notes 
in Computer Science, vol. 1592, Springer- Verlag, 1999. 

23. Shor, P., Algorithms for Quantum Computation: Discrete Logarithms and Fac- 
toring, in 35th Annual Symposium on Foundations of Computer Science (FOCS), 
1994. 

24. Watrous, I ,PSPACE has Constant-Round Quantum Interactive Proof Systems, 
in 40th Annual Symposium on Foundations of Computer Science (FOCS), 1999. 

25. Watrous, I.,Succinet Quantum Proofs for Properties of Finite Groups, Proceed- 
ings of the 41st Annual Symposium on Foundations of Computer Science, 2000. 

26. Watrous, J., Limits on the Power of Quantum Statistieal Zero-Knowledge, in 
43rd Annual Symposium on the Foundations of Computer Science (FOCS), 2002. 

27. VAN DE Graaf, j., Towards a Formal Definition of Security for Quantum Pro- 
tocols, Ph.D. thesis. Computer Science and Operational Research Department, 
Universite de Montreal, 1997. 




The Knowledge-of-Exponent Assumptions 
and 3-Round Zero-Knowledge Protocols 



Mihir Bellare and Adriana Palacio 

Dept, of Computer Science & Engineering, University of California, San Diego 
9500 Gilman Drive, La Jolla, CA 92093, USA 
{mihir , apalacio}@cs .ucsd.edu 
http : //www-cse .ucsd.edu/users/ {mihir , apalacio} 



Abstract. Hada and Tanaka [11, 12] showed the existence of 3-round, 
negligible-error zero-knowledge arguments for NP based on a pair of 
non-standard assumptions, here called KEAl and KEA2. In this paper 
we show that KEA2 is false. This renders vacuous the results of [11, 
12]. We recover these results, however, under a suitably modihed new 
assumption called KEA3. What we believe is most interesting is that we 
show that it is possible to “falsify” assumptions like KEA2 that, due to 
their nature and quantifier-structure, do not lend themselves easily to 
“efficient falsihcation” (Naor [15]). 



1 Introduction 

A classical question in the theory of zero knowledge (ZK) [10] is whether there 
exist 3-round, negligible-error ZK proofs or arguments for NP. The difficulty in 
answering this question stems from the fact that such protocols would have to 
be non-black-box simulation ZK [9] , and there are few approaches or techniques 
to this end. A positive answer has, however, been provided, by Hada and Tanaka 
[11,12]. Their result (a negligible-error, 3-round ZK argument for NP) requires 
a pair of non-standard assumptions that we will denote by KEAl and KEA2. 

The assumptions, roughly. Let g be a prime such that 2g-|- 1 is also prime, 
and let g be a generator of the order q subgroup of - Suppose we are given 
input q,g,g'^ and want to output a pair (C,Y) such that Y = C°“ . One way to 
do this is to pick some c G 1q, let C = and let Y = {g‘^Y- Intuitively, KEAl 
can be viewed as saying that this is the “only” way to produce such a pair. The 
assumption captures this by saying that any adversary outputting such a pair 
must “know” an exponent c such that g‘^ = C. The formalization asks that there 
be an “extractor” that can return c. Roughly: 

KEAl: For any adversary A that takes input q.g.g^' and returns {C,Y) 
with Y = there exists an “extractor” A, which given the same 
inputs as A returns c such that g'^ = C. 

Suppose we are given input q,g,g°‘,g’’,g°‘^ and want to output a pair (C,Y) 
such that Y = . One way to do this is to pick some c G Z^, let C = 

M. Franklin (Ed.): CRYPTO 2004, LNCS 3152, pp. 273-289, 2004. 
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and let V = Another way is to pick some c £ Zg, let C = and let 

Y = {g°‘Y^. Intuitively, KEA2 can be viewed as saying that these are the “only” 
ways to produce such a pair. The assumption captures this by saying that any 
adversary outputting such a pair must “know” an exponent c such that either 
g'^ = C or {g°‘Y = C". The formalization asks that there be an “extractor” that 
can return c. Roughly: 

KEA2: For any adversary A that takes input g, 5 , 5 “, 5 “^ and returns 

(C, F) with F = C^, there exists an “extractor” A, which given the 
same inputs as A returns c such that either = C or (g“)“ = C. 

As per [ 11 , 12 ], adversaries and extractors are poly-size families of (deterministic) 
circuits. See Assumption 2 for a formalization of KEA2, and Assumption 4 for 
a formalization of KEAl. 

History and nomenclature of the assumptions. KEAl is due to Damgard 
[7], and is used by [11, 12] to prove their protocol is ZK. To prove soundness of 
their protocol, Hada and Tanaka [11, 12] introduce and use KEA2. (In addition, 
they make the Discrete Logarithm Assumption, DLA.) The preliminary version 
of their work [11] referred to the assumptions as SDHAl and SDHA2 (Strong 
Diffie-Hellman Assumptions 1 and 2), respectively. However, the full version 
[ 12 ] points out that the formalizations in the preliminary version are flawed, and 
provides corrected versions called non-uniform-DAl and non-uniform-DA2. The 
latter are the assumptions considered in this paper, but we use the terminol- 
ogy of Naor [15] which we feel is more reflective of the content of the assump- 
tion: “KEA” stands for “Knowledge of Exponent Assumption”, the exponent 
being the value c above. 

Falsifying KEA2. In this paper we show that KEA2 is false. What is interest- 
ing about this — besides the fact that it renders the results of [ 11 , 12 ] vacuous — 
is that we are able to “falsify” an assumption whose nature, as pointed out by 
Naor [15], does not lend itself easily to “efficient falsification.” Let us explain 
this issue before expanding more on the result itself. 

The most standard format for an assumption is to ask that the probabil- 
ity that an adversary produces a certain output on certain inputs is negligible. 
For example, the Factoring assumption is of this type, asking that the probabil- 
ity that a polynomial-time adversary can output the prime factors of an integer 
(chosen by multipling a pair of random primes) is negligible. To show such an as- 
sumption is false, we can present an “attack,” in the form of an adversary whose 
success probability is not negligible. (For example, a polynomial-time factoring 
algorithm.) KEAl and KEA2 are not of this standard format. They involve a 
more complex quantification: “For every adversary there exists an extractor such 
that ...”. To show KEA2 is false, we must show there is an adversary for which 
there exists no extractor. As we will see later, it is relatively simple to identify an 
adversary for which there does not appear to exist an extractor, but how can we 
actually show that none of the infinite number of possible extractors succeeds? 
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An analogy. The difficulty of falsifying an assumption with the quantifier 
format of KEA2 may be better appreciated via an analogy. The definition of 
ZK has a similar quantifier format: “For every (cheating) verifier there exists 
a simulator such that ...”. This makes it hard to show a protocol is not ZK, 
for, even though we may be able to identify a cheating verifier strategy that 
appears hard to simulate, it is not clear how we can actually show no simulator 
exists. (For example, it is hard to imagine how one could find a simulator for the 
cheating verifier, for Blum’s ZK proof of Hamiltonian Cycle [5], that produces its 
challenges by hashing the permuted graphs sent by the prover in the first step. 
But there is to date no proof that such a simulator does not exist). However it 
has been possible to show protocols are not black-box simulation ZK [9] , taking 
advantage of the fact that the quantification in this definition is different from 
that of ZK itself. It has also been possible to show conditional results, for example 
that the parallel version of the Fiat-Shamir [8] protocol is not ZK, unless there is 
no hash function that, when applied to collapse this protocol, results in a secure 
signature scheme [16]. Our result too is conditional. 

Falsification result. At an intuitive level, the weakness in KEA2 is easy 
to see, and indeed it is surprising this was not noted before. Namely, consider 
an adversary A that on input g, g, g“, picks ci,C2 in some fashion, and 
outputs {C,Y) where C = g^i(g“)^" and Y = (g'’)^^ (5“*')^". Then Y = 
but this adversary does not appear to “know” c such that either = C or 
(g°-y = C. The difficulty, however, as indicated above, is to prove that there 
does not exist an extractor. We do this by first specifying a particular strategy 
for choosing c\ and C2 and then showing that if there exists an extractor for 
the resulting adversary, then this extractor can be used to solve the discrete 
logarithm problem (DTP). Thus, our result (cf. Theorem 1) is that if the DTP 
is hard then KEA2 is false. Note that if the DTP is easy, then KEA2 is true, for 
the extractor can simply compute a discrete logarithm of C and output it, and 
thus the assumption that it is hard is necessary to falsify KEA2. 

Remark. We emphasize that we have not found any weaknesses in KEAl, an 
assumption used not only in [7, 11, 12] but also elsewhere. 

KEA3. Providing a 3-round, negligible-error ZK protocol for NP is a challenging 
problem that has attracted considerable research effort. The fact that KEA2 is 
false means that we “lose” one of the only positive results [11, 12] that we had 
on this subject. Accordingly, we would like to “recover” it. To this end, we 
propose a modification of KEA2 that addresses the weakness we found. The 
new assumption is, roughly, as follows: 

KEA3: For any adversary A that takes input 9, 5, 5“, 5“^ and returns 

(C, F) with Y = , there exists an “extractor” A, which given 

the same inputs as A returns ci, C2 such that = C. 
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Before proceeding to use this assumption, we note a relation that we consider 
interesting, namely, that KEA3 implies KEAl (cf. Proposition 2)^. The relation 
means that KEA3 is a natural extension of KEAl. It also allows us to simplify 
result statements, assuming only KEA3 rather than both this assumption and 
KEAl. 

Recovering the ZK result. Let HTP denote the 3-round protocol of Hada 
and Tanaka, which they claim to be sound (i.e., have negligible error) and ZK. 
The falsity of KEA2 invalidates their proof of soundness. However, this does 
not mean that HTP is not sound: perhaps it is and this could be proved under 
another assumption, such as KEA3. This turns out to be almost, but not quite, 
true. We identify a small bug in HTP based on which we can present a successful 
cheating prover strategy, showing that HTP is not sound. This is easily fixed, 
however, to yield a protocol we call pHTP (patched HTP). This protocol is 
close enough to HTP that the proof of ZK (based on KEAl) is unchanged. On 
the other hand, the proof of soundness of HTP provided in [12] extends with 
very minor modifications to prove soundness of pHTP based on KEA3 and DLA 
(cf. Theorem 2). In summary, assuming KEA3 and DLA, there exists a 3-round, 
negligible error ZK argument for NP. 

Strength of the assumptions. The knowledge-of-exponent assumptions are 
strong and non-standard ones, and have been criticized for assuming that one 
can perform what some people call “reverse engineering” of an adversary. These 
critiques are certainly valid. Our falsification of KEA2 does not provide infor- 
mation on this aspect of the assumptions, uncovering, rather, other kinds of 
problems. However, by showing that such assumptions can be falsified, we open 
the door to further analyses. 

We also stress that in recovering the result of [12] on 3-round ZK we have not 
succeeded in weakening the assumptions on which it is based, for KEA3 certainly 
remains a strong assumption of the same non-standard nature as KEAl. 

Related Work. Since [11, 12] there has been more progress with regard to the 
design of non-black-box simulation ZK protocols [1]. However, this work does 
not provide a 3-round, negligible-error ZK protocol for NP. To date, there have 
been only two positive results. One is that of [11, 12], broken and recovered in 
this paper. The other, which builds a proof system rather than an argument, is 
reported in [14] and further documented in [13]. It also relies on non-standard 
assumptions, but different from the Knowledge of Exponent type ones. Roughly, 
they assume the existence of a hash function such that a certain discrete-log- 
based protocol, that uses this hash function and is related to the non-interactive 
OT of [3] , is a proof of knowledge. 



^ KEA2 was not shown by [12] to imply KEAl. Our proof of Proposition 2 does extend 
to establish it, but the point is moot since KEA2 is false and hence of course implies 
everything an3rway. 
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2 Preliminaries 

If a; is a binary string, then |a;| denotes its length, and if n > 1 is an integer, then 
|n| denotes the length of its binary encoding, meaning the unique integer I such 
that 2^“^ <n <2^. The empty string is denoted e. We let N = {1, 2, 3, . . .} be the 
set of positive integers. If g is a prime number such that 2q + l is also prime, then 
we denote by Gq the subgroup of quadratic residues of Z^q+i- (Operations are 
modulo 2 ( 7+1 but we will omit writing “ mod 2 ( 7 + 1 ” for simplicity.) Recall this is 
a cyclic subgroup of order q. If g is a generator of Gq then we let DLog,j Gq — > 
Zq denote the associated discrete logarithm function, meaning DLog,j ^( 77 “) = a 
for any a GZq. We let 

GL = { (g, g) : q,2q + 1 are primes and 77 is a generator of G, } . 

For any n G N we let GL^ be the set of all (g, 77 ) G GL such that the length of 
the binary representation of 2 g + 1 is n bits, i.e., 

GL„ = { (g, g) G GL : |2g + 1| = n } . 

Assumptions and problems in [11, 12] involve circuits. A family of circuits C = 
contains one circuit for each value of n G N. It is poly-size if there is 
a polynomial p such that the size of C„ is at most p{n) for all n G N. Unless 
otherwise stated, circuits are deterministic. If they are randomized, we will say 
so explicitly. We now recall the DLA following [12]. 

Assumption 1. [DLA] Let I = {InjnGN be a family of randomized circuits, 
and N — > [0,1] a function. We associate to any n G N and any (g,g) G GL„ 
the following experiment: 

Experiment Expj^(n, g, 77 ) 

a ^ Zg ; A <— g“ ; a I„(g, g, A) ; If a = a then return 1 else return 0 



We let 



Advi'(n,g,g) 



Pr 



Expf (n,g,g) = 1 



denote the advantage of I on inputs n, g, g, the probability being over the random 
choice of a and the coins of I„, if any. We say that I has success bound v if 

Vn G N y{q,g) G GL„ : Advi*(n, g,g) < i/(n) . 

We say that the Discrete Logarithm Assumption (DLA) holds if for every poly- 
size family of circuits I there exists a negligible function v such that I has success 
bound i>. I 



The above formulation of the DLA, which, as we have indicated, follows [12], has 
some non-standard features that are important for their results. Let us discuss 
these briefly. 

First, we note that the definition of the success bound is not with respect 
to (g, g) being chosen according to some distribution as is standard, but rather 
makes the stronger requirement that the advantage of I is small for all (g, g). 
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Second, we stress that the assumption only requires poly-size families of de- 
terministic circuits to have a negligible success bound. However, in their proofs, 
which aim to contradict the DLA, Hada and Tanaka [11,12] build adversaries 
that are poly-size families of randomized circuits, and then argue that these can 
be converted to related poly-size families of deterministic circuits that do not 
have a negligible success bound. We will also need to build such randomized 
adversaries, but, rather than using ad hoc conversion arguments repeated across 
proofs, we note the following more general Proposition, which simply says that 
DLA, as per Assumption 1, implies that poly-size families of randomized circuits 
also have a negligible success bound. We will appeal to this in several later places 
in this paper. 

Proposition 1. Assume the DLA, and let J = {J„}nGN a poly-size family 
of randomized circuits. Then there exists a negligible function v such that J has 
success bound v. | 

As is typical in such claims, the proof proceeds by showing that for every n there 
exists a “good” choice of coins for J„, and by embedding these coins we get a 
deterministic circuit. For completeness, we provide the proof in the full version 
of this paper [4]. 



3 KEA2 Is False 



We begin by recalling the assumption. Our presentation is slightly different from, 
but clearly equivalent to, that of [12]: we have merged the two separate condi- 
tions of their formalization into one. Recall that they refer to this assumption 
as “non-uniform-DA2,” and it was referred to, under a different and incorrect 
formalization, as SDHA2 in [11]. 



Assumption 2. [KEA2] Let A = {A„}„gN and A = {A„}„gN be families of 
circuits, and N — > [0, 1] a function. We associate to any n e N, any {q,g) G 
GLn, and any A £ Gq the following experiment: 

Experiment Exp^’^(n, g, g. A) 

b^Zq] B ^ g'^ ] X ^ A<^ 

(C, Y) ^ A„(g, g, A,B,X);c^ A„(g, g, A, B, X) 

If {Y = C’’ AND g'^ ^ C AND A“ yf C) then return 1 else return 0 

We let 



Adv^i^(n,g,g, A) = 



Pr 






denote the advantage of A relative to A on inputs n, q, g, A. We say that A is a 
kea2- extractor for A with error bound v if 

'in&ny{q,g)&GLr,'iA€Gq : Adw^l%{n,q, g, A) < v{n) . 

We say that KEA2 holds if for every poly-size family of circuits A there exists 
a poly-size family of circuits A and a negligible function iz such that A is a 
kea2-extractor for A with error bound u. | 
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We stress again that in the above formulations, following [12], both the adversary 
and the extractor are families of deterministic circuits. One can consider various 
variants of the assumptions, including an extension to families of randomized 
ciruits, and we discuss these variants following the theorem below. 

Theorem 1. If the DLA holds then KEA2 is false. | 



The basic idea behind the failure of the assumption, as sketched in Section 1, 
is simple. Consider an adversary given input q, g, A, B, X, where A = g°',B = 
g^ and X = The assumption says that there are only two ways for the 
adversary to output a pair C, T satisfying Y = . One way is to pick some c, 

let C = g^ and let Y = B‘^. The other way is to pick some c, let C = A'^ and 
let Y = X'^. The assumption thus states that the adversary “knows” c such that 
either C = g^ (i.e., c = DLog^g(C)) or C = (i.e., c = DLog^_^(C)). This 

ignores the possibility of performing a linear combination of the two steps above. 
In other words, an adversary might pick ci,C2, let C = g‘^^A‘^'^ and Y = 

In this case, Y = but the adversary does not appear to necessarily know 
DLogq g(C') = Cl + C 2 DLogg ^(A) or DLog,_^(C) = ciDLog^ + C 2 . 

However, going from this intuition to an actual proof that the assumption 
is false takes some work, for several reasons. The above may be intuition that 
there exists an adversary for which there would not exist an extractor, but we 
need to prove that there is no extractor. This cannot be done unconditionally, 
since certainly if the discrete logarithm problem (DLP) is easy, then in fact there 
is an extractor: it simply computes DLog,^ g{C) and returns it. Accordingly, our 
strategy will be to present an adversary A for which we can prove that if there 
exists an extractor A then there is a method to efficiently compute the discrete 
logarithm of A. 

An issue in implementing this is that the natural adversary A arising from 
the above intuition is randomized, picking ci, C 2 at random and forming C, Y as 
indicated, but our adversaries must be deterministic. We resolve this by designing 
an adversary that makes certain specific choices of Ci, C 2 . We now proceed to the 
formal proof. 



Proof of Theorem 1. Assume to the contrary that KEA2 is true. We show 
that the DLP is easy. 

The outline of the proof is as follows. We first construct an adversary A 
for the KEA2 problem. By assumption, there exists for it an extractor A with 
negligible error bound. Using A, we then present a poly-size family of randomized 
circuits J = {JnlneN and show that it does not have a negligible success bound. 
By Proposition 1, this contradicts the DLA. 

The poly-size family of circuits A = {A„}„gpj is presented in Figure 1. Now, 
under KEA2, there exists a poly-size family of circuits A = {A„}„gN and a 
negligible function v such that A is an extractor for A with error bound v. Using 
A, we define the poly-size family of circuits J = {JnjriGN shown in Figure 1. 



Claim 1. For all n G N, all {q,g) G GLn and all A G Gq 



Pr 



Jn(g,g, A) : g°- ^ A < v{n) . | 
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^n{q,g,A,B,X) 
C^gA 
Y ^ BX 
Return (C, Y) 



^n{g,g,A) 

- B ^ g’^ ■ X ^ A’’ 
An(q,g,A,B,X) 

C^gA 

If = C then a <— (c — 1) mod q Endlf 

If = C then a <— (c — 1)“^ mod q Endlf 

Return a 



Fig. 1. Adversary A = {AnjngN for the KEA2 problem and adversary J = {Jn}neN 
for the DLP, for the proof of Theorem 1. 



Note the claim shows much more than we need. Namely, J does not merely have 
a success bound that is not negligible. In fact, it succeeds with probability almost 
one. 

Proof (Claim 1). We let Pr[-] denote the probability in the experiment of exe- 
cuting 3n{q, g, A). We first write some inequalities leading to the claim and then 
justify them: 

Pr[/fyA] < Pr[/fyCAAVC^] (1) 

< Adv^-|(n,g,5,Al) (2) 

< v(n) . (3) 

We justify Equation (1) by showing that if = C or = C then = A. First 
assume = C. Since C = gA, we have g'^ = gA, whence A = g'^~^. Since we 
set a = (c — 1) mod q, we have A = g°^. Next assume = C. Since C = gA, 
we have A“ = gA, whence A'^“^ = g. Now observe that c fy 1, because otherwise 
A'^ = A fy gA. (Since g is a generator, it is not equal to 1). Since c fy 1 and q is 
prime, c — 1 has an inverse modulo q which we have denoted by a. Raising both 
sides of the equation “A'^~^ = g” to the power a we get A = g°“ . 

Exp^’^(n, g, g, A) returns 1 exactly when Y = and g'^ ^ C and A^ fy C. 
By construction of A, we have C = gA and Y = BX, and thus Y = C^, so 
Exp^’^(n, 5 , g, A) returns 1 exactly when g'^ ^ C and A'^ fy C. This justifies 
Equation (2). 

Equation (3) is justified by the assumption that A is an extractor for A with 
error bound v. | 

Claim 1 implies that J does not have a negligible success bound, which, by 
Proposition 1, shows that the DLP is not hard, contradicting the assumption 
made in this Theorem. This completes the proof of Theorem 1. 

Extensions and variants. There are many ways in which the formalization 
of Assumption 2 can be varied to capture the same basic intuition. However, 
Theorem 1 extends to these variants as well. Let us discuss this briefly. 
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As mentioned above, we might want to allow the adversary to be randomized. 
(In that case, it is important that the extractor get the coins of the adversary as 
an additional input, since otherwise the assumption is clearly false.) Theorem 1 
remains true for the resulting assumption, in particular because it is stronger 
than the original assumption. (Note however that the proof of the theorem would 
be easier for this stronger assumption.) 

Another variant is that adversaries and extractors are uniform, namely stan- 
dard algorithms, not circuits. (In this case we should certainly allow both to 
be randomized, and should again give the extractor the coins of the adversary.) 
Again, it is easy to see that Theorem 1 extends to show that the assumption 
remains false. 



4 The KEA3 Assumption 



The obvious fix to KEA2 is to take into account the possibility of linear combi- 
nations by saying this is the only thing the adversary can do. This leads to the 
following. 



Assumption 3. [KEA3] Let A = {A„}„gN and A = {A„}„gN be families of 
circuits, and N — > [0, 1] a function. We associate to any n G N, any (q,g) G 
GLn, and any A G Gq the following experiment: 

Experiment Exp^^^(n, g, g. A) 

b^Zq; B ^ g'’ ; X ^ A>> 

(C,Y) ^ An{q,g,A,B,X) ; (ci,C2) ^ An{q, g, A, B, X) 

If {Y = AND yf C) then return I else return 0 



We let 



Adv^’^(n,g, 5 , A) = Pr 






denote the advantage of A relative to A on inputs n, q, g, A. We say that A is a 
keaS- extractor for A with error bound v if 

VnGN V(g, 5 ) G GL„ VAg G, : Adv^^’f (n,g, 5 . A) < i/(n) . 

We say that KEA3 holds if for every poly-size family of circuits A there exists 
a poly-size family of circuits A and a negligible function v such that A is a 
kea3-extractor for A with error bound v. | 



We have formulated this assumption in the style of the formalization of KEA2 
of [12] given in Assumption 2. Naturally, variants such as discussed above are 
possible. Namely, we could strengthen the assumption to allow the adversary 
to be a family of randomized circuits, of course then giving the extractor the 
adversary’s coins as an additional input. We do not do this because we do not 
need it for what follows. We could also formulate a uniform-complexity version 
of the assumption. We do not do this because it does not suffice to prove the 
results that follow. However, these extensions or variations might be useful in 
other contexts. 
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In Appendix A we recall the formalization of KEAl and prove the following: 
Proposition 2. KEA3 implies KEAl. | 

This indicates that KEA3 is a natural extension of KEAl. 

5 Three-Round Zero Knowledge 

The falsity of KEA2 renders vacuous the result of [11,12] saying that there 
exists a negligible-error, 3-round ZK argument for NP. In this section we look 
at recovering this result. 

We first consider the protocol of [11,12], here called HTP. What has been 
lost is the proof of soundness (i.e., of negligible error). The simplest thing one 
could hope for is to re-prove soundness of HTP under KEA3 without modifying 
the protocol. However, we identify a bug in HTP that renders it unsound. This 
bug has nothing to do with the assumptions on which the proof of soundness 
was or can be based. 

The bug is, however, small and easily fixed. We consider a modified protocol 
which we call pHTP. We are able to show it is sound (i.e., has negligible error) 
under KEA3. Since we have modified the protocol we need to re-establish ZK 
under KEAl as well, but this is easily done. 

Arguments. We begin by recalling some definitions. An argument for an NP 
language L [6] is a two-party protocol in which a polynomial-time prover tries 
to “convince” a polynomial-time verifier that their common input x belongs to 
L. (A party is said to be polynomial time if its running time is polynomial in 
the length of the common input.) In addition to x, the prover has an auxiliary 
input a. The protocol is a message exchange at the end of which the verifier 
outputs a bit indicating its decision to accept or reject. The probability (over 
the coin tosses of both parties) that the verifier accepts is denoted Accy“(x). 
The formal definition follows. 

Definition 1. A two-party protocol (P, V), where P and V are both polynomial 
time, is an argument for L with error probability <5 : N ^ [0, 1], if the following 
conditions are satisfied: 

Completeness: For allx G L there exists w G {0, 1}* such that Accy “'(a;) = 1. 
Soundness: For all probabilistic polynomial-time algorithms P, all sufficiently 
long X ^ L, and all a G {0,1}*, Accy’“(a;) < 5(]a;|). 

We say (P, V) is a negligible- error argument for L if there exists a negligible func- 
tion 5 : N ^ [0, 1] such that (P, K) is an argument for L with error probability 6. 

I 

Canonical protocols. The 3-round protocol proposed by [11,12], which we 
call HTP, is based on a 3-round argument (P, V) for an NP-complete language 
L with the following properties: 
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Prover P Verifier V 

Initial State St = (x, w, R) 

{{Cmt, q, g), St) ^ P{£-, St) d^l 

{Cmt, q,g) ^ 

n <— \x\ 

K (a, g) i GL„ then d ^ 0 Endlf 
r Z* ; Ch ^ 

Ch 

(Rsp, St) ^ P(Ch; St) 

Rsp 

If DEC4(CMT,g,g),CH,Rsp) = 0 
then d <— 0 Endlf 



Fig. 2. A 3-round argument. The common input is x. Prover P has auxiliary input 
w and random tape R, and maintains state St. Verifier V returns boolean decision d. 



(1) The protocol is of the form depicted in Figure 2. The prover is identified with 
a function P that given an incoming message Mi„ (this is e when the prover is 
initiating the protocol) and its current state St, returns an outgoing message 
Mout and an updated state. The initial state of the prover is {x, w, R), where 
X is the common input, w is an auxiliary input and i? is a random tape. The 
prover’s first message is called its commitment. This is a tuple consisting of 
a string Cmt, a prime number q and an element g, where (q,g) G GL\x\. 
The verifier selects a challenge Ch uniformly at random from Gq, and, upon 
receiving a response RSP from the prover, applies a deterministic decision 
predicate DECa,((CMT, g, g), Ch, Rsp) to compute a boolean decision. 

(2) For any x ^ L and any commitment {CMT,q, g), where {q,g) G GL^„,\, there 
is at most one challenge Ch G Gq for which there exists a response RSP S 
{0,1}* such that DECa,((CMT, g, g), Ch, Rsp) = 1. This property is called 
strong soundness. 

(3) The protocol is honest- verifier zero knowledge (HVZK), meaning there ex- 
ists a probabilistic polynomial-time simulator S such that the following two 
ensembles are computationally indistinguishable: 

{S'(a;)}a:GL and (View^’^^'^^(a:)}a;GL , 
where W is any function that given an input in L returns a witness to its 
membership in L, and View^’'^^^^(a:), is a random variable taking value 
V’s internal coin tosses and the sequence of messages it receives during an 
interaction between prover P (with auxiliary input W{x)) and verifier V on 
common input x. 
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Prover P Verifiers V, V' 

Initial State St = {x, w, R) 



{{CMT,q,g),St)^P{e-,St) 

g°- d^l 

(CMT,g,5,A) 



{B,X) 



n <— \x\ 

K (?i g) ^ GLn then d 




- 0 Endlf 
A’’ 



If X 7 ^ then abort 

else c 4?- Z* ; C ^ ; Ch ^ 

(RSP, St) ^ P(Ch; St) Endlf 

(RSP,C, Ch) 



If Ch / C*’ V Ch = 1 V 



DEC:,((Cmt, q, g), Ch, Rsp) = 0 
then d <— 0 Endlf 



Fig. 3. HTP and pHTP. Verifier V of protocol HTP = (P, V) does not include the 
highlighted portion. Verifier V' of protocol pHTP = (P, V') does. 



If {P,V) is a 3-round argument for an NP-complete language, meeting the three 
conditions above, then we refer to (P, V) as a canonical argument. In what 
follows, we assume that we have such canonical arguments. They can be con- 
structed in various ways. For example, a canonical argument can be constructed 
by modifying the parallel composition of Blum’s zero-knowledge protocol for the 
Hamiltonian circuit problem [5], as described in [11, 12]. 

The Hada- Tanaka protocol. Let (P, V) be a canonical argument for an 
NP-complete language L, and let DEC be the verifier’s decision predicate. The 
Hada-Tanaka protocol HTP = (P, V) is described in Figure 3. Note P’s decision 
predicate does not include the highlighted portion of its code. 

We now observe that the HTP protocol is unsound. More precisely, there 
exist canonical arguments such that the HTP protocol based on them does not 
have negligible error. This is true for any canonical argument (P, V) satisfying 
the extra condition that for infinitely many x ^ L there exists a commitment 
{CmTxtQx: Qx) for which there is a response RSPa, to challenge 1 that will make 
the verifier accept. There are many such canonical arguments. For instance, a 
canonical argument satisfying this condition results from using an appropriate 
encoding of group elements in Hada and Tanaka’s modification of the paral- 
lel composition of Blum’s zero-knowledge protocol for the Hamiltonian circuit 
problem. 
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Proposition 3. Let HTP be the Hada-Tanaka protocol based on a canonical 
argument satisfying the condition stated above. Then there exists a polynomial- 
time proven for HTP that can make the verifier accept with probability one for 
infinitely many common inputs not in L. | 

Proof (Proposition 3). Let {P,V) be the canonical argument and let V be the 
verifier of the corresponding protocol HTP. Consider a cheating prover P that 
on initial state (a;, ((Cmt^;, RSP^;), e) selects an exponent a G uni- 
formly at random, and sends Qx, 9x, 9x) its commitment to verifier 

V. Upon receiving a challenge (B,X), it checks if X = If not, it aborts. 
Otherwise, it sends (RSP^;, 1, 1) as its response to V. By the assumption about 
protocol (P, U), for infinitely many x ^ L there exists an auxiliary input y = 

((CmTj,, qx,9x), RSPa:) G {0, 1}* such that Accy’^{x) = 1. | 

Protocol pHTP. The above attack can be avoided by modifying the verifier 
to include the highlighted portion of the code in Figure 3. We call the resulting 
verifier V' . The following guarantees that the protocol pHTP = (P, V') is sound 
under KEA3, if the DLP is hard. 

Theorem 2. If KEA3 holds, the DLA holds, and (P, V) is a canonical 3-round 
argument for an NP-complete language L, then pHTP = (P, V') as defined in 
Figure 3 is a negligible- error argument for L. 

Proof of Theorem 2. The proof is almost identical to that of [12]. For com- 
pleteness, however, we provide it. 

Completeness follows directly from the completeness of protocol (P, U). To 
prove soundness, we proceed by contradiction. Assume that pHTP is not sound, 
i.e., there is no negligible function 6 such that the soundness condition in 
Definition 1 holds with respect to S. We show that the DLP is easy under KEA3. 

By the assumption that pHTP is not sound and a result of [2], there exists 
a probabilistic polynomial-time algorithm P such that the function 

Errp(n) = max{ Accy;“(a;) : a; G {0, 1}" A x ^ P A a G {0, 1}* 

is not negligible. Hence there exists a probabilistic polynomial-time algorithm 
P, a polynomial p, and an infinite set S' = { (x, a) : x G {0, 1}* \ P A a G {0, 1}* } 
such that for every (x, a) G S 

Accyf(x) > l/p(|x|) , (4) 

and { X G {0, 1}* : 3a G {0, 1}* such that (x, a) G S } is infinite. 

Since P takes an auxiliary input a, we may assume, without loss of generality, 
that P is deterministic. We also assume that, if (Cmt, q', g', A') is P’s commit- 
ment on input e when the initial state is (x, a,£r), for some x,a G {0, 1}* with 

jxj = n, then {q' ,g') G GLn- (There exists a prover P' for which Acc^,’“(x) = 

^ We note that this set is finite since P is a polynomial-time algorithm and AcCy’f (x) 
depends only on the first tp(|x|) bits of a, where tp() is the running time of P. 
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^n{q,g,A,B,X) Hn£K 

St <— {x, a, e) ; ((Cmt, q' , g' , A'), St) <— P{s; St) 

ll q' ^ q\/ g' ^ g y A' ^ A then return (1, 1) 

else ((RSP, C, Ch), St) ^ P{{B, X)- St) ; return (C, Ch) Endlf 

A„{q,g,A,B,X) //n^K 

Return (1,1) 

Un&K 

St <— {x, a, e) ; ((Cmt, q' , g' , A'), St) <— P{s; St) 

If q' ^ q\/ g' ^ g then return _L Endlf 
b<^Zq-, B ^ A- g’’ ■ X ^ B°-' 

((Rsp, C, Ch), SU) ^ P{{B, X); St) ; (ci, cz) ^ A„(g, g, A', B, X) 

If DEC„((CMT,g, 5 ),CH,Rsp) = 0 V Ch / B‘^^X‘^^ then return _L Endlf 
6' Z„ ; B' ^ g^’ ; X' ^ B'“' 

If B = B' then a ^ b' — b mod q ; return a Endlf 

((Rsp', C, Ch'), SA) ^ P^B' , X'); St) ■ {A, A) ^ A„(g, <?, A', B', X') 

If DEC„((Cmt,(?, 5 ),Ch',Rsp') = OV Ch' / B"^'iX '=2 then return X Endlf 
If Cl + a'c 2 ^ 0 (mod g) then 

a <— (b'c'i + b'a'c '2 — bci — ba'c 2 ) ■ (ci + a'c 2 )~^ mod q ; return a 
else return X Endlf 

Jn(q,g,A) //n^K 
Return X 



Fig. 4. Adversary A = {A„}„gpi for the KEA3 problem and adversary J = {Jn}neN 
for the DLP, for the proof of Theorem 2. 



Accyf{x) for every x,a & {0, 1}* and this assumption holds.) We will use P to 
construct an adversary A for the KEA3 problem. By assumption, there exists for 
it an extractor A with negligible error bound. Using A and P, we then present 
a poly-size family of randomized circuits J = {JnjnGN £^nd show that it does not 
have a negligible success bound. By Proposition 1, this shows that the DLP is 
not hard. 

Let A = { n G N : 3 (x, a) G 5 such that |x| = n}. We observe that K is 
an infinite set. For each n G A, fix (x,a) G S such that |x| = n. The poly-size 
family of circuits A = {A„}„gN is presented in Figure 4. Now, under KFA3, 
there exists a poly-size family of circuits A = {A„}„gN and a negligible function 
ly such that A is an extractor for A with error bound i/. For each n G A, let 
a' = DLog,j, g'(A'), where (Cmt, g', 5', A') is P’s commitment on input e when 
the initial state is (x,a,e). Using A, we define the poly-size family of circuits 
J = {JnjnGN shown in Figure 4. The proof of the following is in [4]. 
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Claim 2. For infinitely many n G N there exists (q,g) G GLn such that for every 
AeGg 



Pr 



^n{q,g,A) 




1 

p(n)2 



8 

2"p(n) 



2v(n) . I 



Claim 2 implies that J does not have a negligible success bound, which, by 
Proposition 1, shows that the DLP is not hard, contradicting the assumption 
made in this Theorem. 



Zero knowledge of pHTP. Having modified HTP, we need to revisit the zero 
knowledge. Hada and Tanaka proved that if the canonical argument is HVZK 
(property (3) above) then HTP is zero knowledge under KEAl. However, we 
observe that pHTP modifies only the verifier, not the prover. Furthermore, only 
the decision predicate of the verifier is modified, not the messages it sends. This 
means that the view (i.e., the internal coin tosses and the sequence of messages 
received during an interaction with a prover P) of verifier V’ of pHTP is identical 
to that of verifier V of HTP. Thus, zero knowledge of pHTP follows from zero 
knowledge of HTP, and in particular is true under the same assumptions, namely 
KEAl. 



Summary. In summary, pHTP is a 3-round protocol that we have shown is a 
negligible-error argument for NP assuming DLA and KEA3, and is ZK assuming 
KEAl. Given Proposition 2, this means we have shown that assuming DLA and 
KEA3 there exists a 3-round negligible-error ZK argument for NP. 
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A KEA3 Implies KEAl 

We recall KEAl, following [12], but applying the same simplifications as we did 
for KEA2 so as to merge their two conditions into one: 

Assumption 4. [KEAl] Let A = {A„}„gN and A = {A„}„gN be families of 
circuits, and N ^ [0, 1] a function. We associate to any n G N, any (q,g) G 
GL„, and any A £ Gq the following experiment: 

Experiment Exp^’^(n, g, g) 

b^Zq-B^g^ 

{C,Y) ^ An{q,g,B) ; c ^ A„(g,g,B) 

If {Y = C’’ AND yf C) then return 1 else return 0 






We let 



Adv^®"^(n,g,g) = Pr 
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denote the advantage of A relative to A on inputs n,q,g. We say that A is a 
keal- extractor for A with error bound v if 

Vn e N V(g,5) e GL„ : Adv^’^(n, g, g) < :/(n) . 

We say that KEAl holds if for every poly-size family of circuits A there exists 
a poly-size family of circuits A and a negligible function v such that A is a 
keal-extractor for A with error bound v. | 

Proof (Proposition 2 ). Let A be an adversary (poly-size family of circuits) for 
KEAl. We need to show there exists a negligible function v and a poly-size 
family of circuits A such that A is a keal-extractor for A with error-bound v. 
We begin by constructing from A the following adversary A' for KEA3: 

Adversary A'„{q, g, A, B, X) 

(G,r)^A„(g,g,B) 

Return {C,Y) 

We have assumed KEA3. Thus there exists a negligible function i' and an ex- 
tractor A' such that A' is a kea3-extractor for A' with error bound i'. Now we 
define an extractor A for A as follows: 

Extractor An{q,g,B) 

a^Zq; A_^ ; A ^ 

(ci,C2) ^ Afq,g,A,B,X) 
c <— Cl -I- ac2 mod q 
Return c 

We claim that A is a keal-extractor for A with error bound i/. To see this, as- 
sume A'^{q,g,A,B,X) is successful, meaning g'^^A'^^ = C. Then = ^'=i-i-ac2 _ 
gci^c2 = (7 gQ An{q, g, B) is successful as well. | 
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Abstract. In this paper we find two near-collisions of the full compres- 
sion function of SHA-0, in which up to 142 of the 160 bits of the output 
are equal. We also find many full collisions of 65-round reduced SHA-0, 
which is a large improvement to the best previous result of 35 rounds. 
We use the very surprising fact that the messages have many neutral 
bits, some of which do not affect the differences for about 15-20 rounds. 
We also show that 82-round SHA-0 is much weaker than the (80-round) 
SHA-0, although it has more rounds. This fact demonstrates that the 
strength of SHA-0 is not monotonous in the number of rounds. 



1 Introduction 

SHA-0 is a cryptographic hash function, which was issued as a Federal Infor- 
mation Processing Standard (FIPS-180) by NIST in 1993 [8]. It is based on the 
principles of MD4 [12] and MD5 [13]. The algorithm takes a message of any 
length up to 2®"^ bits and computes a 160-bit hash value. A technical revision, 
called SHA-1, which specifies an additional rotate operation to the algorithm, 
was issued as FIPS-180-1 [9] in 1995. The purpose of the revision according to 
NIST is to improve the security provided by the hash function. 

Finding collisions of hash functions is not an easy task. The known cases 
of successful finding of collisions (such as the attack on Snefru [14,2], and the 
attack on MD4 [12,4]) are rare, and use detailed weaknesses of the broken func- 
tions. It is widely believed that finding near-collisions (i.e., two messages that 
hash to almost the same value, with a difference of only a few bits) are as diffi- 
cult, or almost as difficult, as finding a full collision. The Handbook of Applied 
Cryptography [7] defines near-collision resistance by 

near- collision resistance. It should be hard to find any two inputs x, x' 
such that h{x) and h{x') differ in only a small number of bits. 

and states that it may serve as a certificational property. In some designs of hash 
functions, such as SHA-2/224 [10], SHA-2/384 [11], and Tiger [1], the designers 
that wish to allow several hash sizes for their design, base the version with the 
smaller size on the one with the larger size, and discard some of the output bits, 
thus showing the confidence of the designers in the difficulty of finding near- 
collisions. Near-collisions were also used in the cryptanalysis of MD4 [15,4]. 

M. Franklin (Ed.): CRYPTO 2004, LNCS 3152, pp. 290-305, 2004. 
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Table 1. Comparison of Chabaud and Joux’ Results to Our Results 



Chabaud and Joux Our Results 

Rounds Complexity Rounds Complexity 



Optimized for 


80 


2 ^ 


82 


233 


Best collision found 


35 


214 


65 


229 


Conforming rounds found 


« 56 [6] 


- 


76 


240 


Near collisions (18-bit diff) 


- 


- 


80 


240 



(*) About half an hour on a PC 

(**) Our actual search took less than a day on a PC which is 
equivalent to a complexity of 2®® 



Near-collisions are the simplest example of forbidden relations between outputs 
of the hash function. Another proposed forbidden relation of the hash results 
is division intractability [5] where finding messages hashed to a divisor of other 
hashes should be difficult. 

In [3] Chabaud and Joux proposed a theoretical attack on the full SHA-0 
with complexity of 2®^. Using their technique they found a collision of SHA-0 
reduced to 35 rounds. 

In this paper we improve over the results of [3], and present attacks with 
lower complexities. We present collisions of 65-round reduced SHA-0, and near- 
collisions of the full compression function of SHA-0 in which up to 142 of the 
160 bits of the hash value are equal. We use the very surprising observation that 
many bits of the message are neutral bits, i.e., they do not affect the differences of 
the intermediate data for 15-20 rounds. We observe that the strength of SHA-0 is 
not monotonous, i.e., collisions of 82 rounds are easier to find than of 80 rounds, 
and use it in our search for near-collisions. We also present several observations 
on variants of SHA-0. 

A comparison of Chabaud and Joux’ results with our results is given in 
Table 1. 

Table 2 shows the complexity of finding collisions of reduced and extended 
SHA-0, as a function of the number of rounds. The table demonstrates that 
the strength of SHA-0 is not monotonous with the number of rounds. In the 
complexity calculations we assume that for the extended SHA-0, the additional 
rounds after the original 80 rounds are performed with the fi function being 
XOR, like in rounds 60, . . . , 79 that proceed them. We also assume that the first 
22 rounds can be gained for free by using the neutral bits. 

A comparison between finding near-collisions using a generic attack and our 
attack is given in Table 3. Note that the generic attack hashes a large number 
of random messages, all of them are then kept in memory. Due to the birth- 
day paradox, it is expected to have a collision or near-collision with complexity 
(number of messages) about 



1.17 





292 



Eli Biham and Rafi Chen 



Table 2. The Complexity of Finding Collisions of Reduced/Extended SHA-0 



Number of Rounds Complexity 


Number of Rounds 


Complexity 


64 


2^5 


80 


2®® 


65 


229 


81 


243 


68 


2« 


82 


2« 


74 


2®° 


83 


2®5 


75 


252 


84 


2®4 


76 


-(*) 


85 


2"i 


77 


2®® 


86 


295 


78 


2®® 


87 


-(*) 


79 


2®® 


92 


2?4 



(*) There is no disturbance vector for which the differences of the five 
registers after 76 or 87 rounds are zero and which no do not have 
consequent disturbances in the first 17 rounds 



Table 3. The Complexities of Finding Near- Collisions of the Compression Function 
of SHA-0 by a Generic Attack and by Our Attack (the number of different bits is the 
Hamming distance of the five registers before the feed-forward) 



Number of Diff. Bits 0 1 2 3 4 5 18 

Generic (time & memory) 2®° 2’’® 2'^® 2™ 2®® 2®® 2^^ 

Ours (time, negligible memory) 2®® 2^® 2^® 2^^ 2^^ 2^^ 2^° 



where k is the Hamming weight of the difference. As this attack is generic, it 
uses no special properties on SHA-0, and thus cannot be used to gain insight on 
its design. 

This paper is organized as follows: Section 2 describes the SHA-0 algorithm, 
and a few notations. Section 3 describes the attack of Chabaud and Joux. Our 
improved attack is presented in Section 4. Two pairs of near-collisions of the 
compression function of SHA-0 and full collision of 65-round reduced SHA-0 are 
given in section 5. Section 6 describes small variations of SHA-0 that largely 
affect its security. Finally, Section 7 summarizes the paper. 

2 Description of SHA-0 

SHA-0 hashes messages of any length in blocks of 512 bits, and produces a 
message digest of 160 bits. 

1. The message is padded with a single bit T’, followed by 0-511 bits ‘O’, 
followed by a 64-bit representation of the message length, where the number 
of zeroes is selected to ensure the total length of the padded message is 
a multiple of 512 bits. The padded message is divided to 512-bit blocks 
Ml,..., M„. 

2. A 5- word buffer ho is initialized to 



ho = {67A52301,,,EFCDAB89^,98BADCFE,„ 10325476,„C3D2E1F0,,). 
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Table 4. Functions and Constants 



Rounds 




Ki 


0 < i < 19 


BC\J BD 


5T827999x 


20 < i < 39 


B®C®D 


QED9EBAC 


40 < i < 59 


BCV BDV CD 


8E1BBCDC„ 


60 < i < 79 


B©C©D 


CAQ2CID&,^ 



3. Each block Mj in turn is subjected to the compression function, along with 
the current value of the buffer hj-\. The output is a new value for hj\ 

hj = compress(Mj, hj-i). 

4. hn is the output of the hash function. 

The compression function is: 

1. Divide the 512-bit block Mj to 16 32-bit words Wq, ITi, . . . , W15. 

2. Expand the 16 words to 80 words by the recurrence equation: 

Wi = W,-3 © kk,_8 © Wi-u © Wi-16, i = 16, 79. (1) 

We denote expansion of a block to 80 words by this equation by exp(-), and 
note that W = exp(Mj). 

3. Divide hj-\ to the five registers A, B, C, D, and E by 

(^Oj Bq, Co, Do, Dq) = 

4. Iterate the following round function 80 times (t = 0, . . . , 79) 

= (W, + ROL5(A,) + /,(D„Q,A)+D, + i^,)mod232, (2) 

Bi+i = Ai, Cij-i = ROL30(i?i), Di_|_i = Ci, Eij.\ = Di, 

where the functions and constants used in each round are described in Ta- 
ble 4. 

5. The output of the compression function is 

hj = {Ao + A3o, Bq + Bso, Co + Cgo, Dq + Dgo, Eq + Esq). 

In the remainder of the paper we consider only 512-bit messages and only the 
first application of the compression function. We denote the j’th bit of Wi by 
W- , and similarly we denote the j’th bits of Ai, Bi, Ci, Di, and Ei by A^, Bf,Cf, 
Dj, and Ef . We also use the notation fi to denote the output of fi{Bi,Ci, Di) 
in round i, and // denotes the j’th bit of fi. 
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Table 5. Single Difference and Corrections 



Round 




Disturbance 

i 


Correction Rounds 
i-|-l i iH-3 i 4: i ^ 


Input 




0 ^ 1 


1 ^ 0 


Words 


IT® 




1 ^ 0 




R/31 




0^10^10^1 


Desired 


A® 




0 ^ 1 


Results 


f 




0 ^ 1 








0^10^1 




E31 




0 ^ 1 


Registers 




A" 


— gl ^ 


Differences 




0 ^ 1 


0^10^10^10^1 None 



3 Description of Chabaud and Jonx Attack 

In the attack of Chabaud and Jonx [3] messages are constructed with specific 
differences, such that the effect of the differences of the messages on the difference 
of the registers A, E can be canceled within a few rounds. The cancellation 
is performed by applying correcting patterns by additional differences in the 
messages. 

The attack is initiated by a selection of a difference A, that is later used as the 
difference of the two colliding messages. The difference is selected with various 
disturbances and corrections, where the corrections are additional differences 
used to correct the differences caused by the disturbances. The disturbances are 
always selected in bit 1 of the message words. Due to the rotations by 5 and 
30 bits in the round function, corrections are made in bits 1, 6, and 31 of the 
words. These disturbances and corrections are aimed to limit the evolution of 
differences to other bits. The result is that in an expected run, Ai and A'^ can 
only differ in bit 1 (i.e., Ai ® A'^ G {0,00000002a,}), and each time they differ, 
they cause differences in the other registers in the following rounds, which are 
then corrected by differences of the messages (or IT’s). 

A disturbance starts by setting bit 1 in one of the input words of M' as 
the complement of the corresponding bit of M . We now show how applying a 
correction sequence on bits 6, 1, 31, 31, 31 on the following words may cancel 
the differences at the end of the sequence. Suppose the initial disturbance is in 
Wl yf ■ This input difference causes registers A and A' to differ at bit 1. On 
each consequent round the difference moves to the next register {B, C, D or E), 
while the corrections of bits 6, 1, 31, 31, 31 in the input words 
respectively, keep registers A and A' equal in these rounds. After this sequence 
of a single disturbance and five corrections, the registers’ contents are equal. By 
generating M' from M by applying this mask, and calculating the difference of 
A and A' at each round we can get the differences described in Table 5 with a 
non negligible probability. The table describes a disturbance with IT/ = 0 and 
ITd = 1, and the required corrections. A similar disturbance and corrections 
can be applied for a ‘1’ to ‘0’ difference. The notation 0^1 refer to a change 
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where a bit is ‘0’ in W and ‘1’ in W' . The notation 0 1 means that there is a 

change either from ‘0’ to ‘1’ or from ‘1’ to ‘O’. 

Let I? be a vector of 80 words, which correspond to the 80 rounds of the 
compression function. Each word in the vector is set to ‘1’ if there is a disturbance 
in the corresponding round, and is set to ‘0’ otherwise. We call this vector the 
disturbance vector. Since getting a collision for the full function requires five 
correcting rounds, full collisions require the last five words of the disturbance 
vector to be zero (but for near-collisions this property is not required). Let 
SR* (I?) be the vector of 80 words received by prepending I zero words to the 
first 80 — I words of T> (i.e., a non-cyclic shift operation of the words). Then, 
the corrections are made in bit 6 in the rounds which correspond to non-zero 
words in SR^(I?), in bit 1 in SR^(2?), and in bit 31 in SR^(I?) and SR^(I?) and 
SR^(I?). Thus, the expansion of A to 80 round can be written in the form 

exp(Zi) = {{V 0 SR2(P)) < 1) © 

( SR\V) < 6) © 

((SR*^(P) © SR^{V) © SR^V)) < 31) , 

where <C denotes shift of each word of the vector separately. In addition, since 
exp(Z\) is expanded by the linear feedback shift register of Equation (1), the dis- 
turbance vector T> is also generatable by this linear feedback shift register. See [3] 
for additional details on the attack, and the additional required constraints. 

We expect that the value of A 1+1 © ^'+1 he T>i 1 if all the corrections 
succeed (i.e., only disturbances in the current round affect the difference after 
the round). Thus, the vector of the expected values of {Ai+i © ^'_|_i)i=o,..., 79 ) 
which we denote by 5 is 

6 = V<€.1 

(note that the indices of 5 are 1, . . . , 80, rather than 0, . . . , 79). 

As the correction process is probabilistic, and assuming each disturbance has 
the same probability for correction, we are interested in the disturbance vector 
with the least Hamming weight for getting the least search complexity (but 
note that the correction probabilities vary, and depend on the /i’s used in the 
correction rounds). 



4 Our Improved Attack 

Our attack is based on the attack of Chabaud and Joux with enhancements that 
increase the probability of finding collisions and near-collisions. 

The main idea is to start the collision search from some intermediate round, 
thus eliminating the probabilistic behavior of prior rounds. In order to start the 
collision search from round r, we build a pair of messages M and M' with a 
difference M ©M' = A, and with the two additional properties described below. 
Before we describe these properties we wish to make the following definitions: 
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Definition 1. Given the difference A of two messages, the attack of Chabaud 
and Joux defines the expected differences S of the values of register A in each 
round. We say that a pair of messages conforms to Sr if Ai (B A'^ = Si for every 
i G r} (which means that the differences at the output of the first r 

rounds 0, . . . , r — 1 are as expected). 

Definition 2. Let M and M' be a pair of messages that conforms to Sr for some 
r > 16. We say that the i’th bit of the messages (i G {0, . . . , 511}) is a neutral bit 
with respect to M and M' if the pair of messages received by complementing the 
z’th bits of M and M' also conform to Sr - We say that the pair of the i’th and j’th 
bits is neutral with respect to M and M' if all the pairs of messages received by 
complementing any subset of these bits ({z|, {j}, or {i,j}) in both messages M 
and M' also conform to Sr- We say that a set of bits S C {0,...,511| is neutral 
with respect to M and M' if all pairs of messages received by complementing 
any subset of the bits in S in both messages M and M' also conform to Sr- We 
say that a subset S' C {0, ... , 511} of the bits of the messages is a 2-neutral set 
with respect to M and M' if every bit in S is neutral, and every pair of bits in 
S is neutral. 

We denote the size of the maximal 2-neutral set (for given messages and r) 
by k{r)- We are now ready to describe the two additional properties: 

1. The message pair conforms to Sr- Having the required sequence oi A® A' 
implies that all other differences (i.e., B 0 B' , C 0 C", D 0 D' , E ® E' ) are 
also as required. 

2. The message pair has a large-enough 2-neutral set of bits. We expect that a 
large fraction of the subsets of the bits in the 2-neutral set are also neutral. 

Given a pair of messages with these properties, we can construct a set of 
message pairs by complementing subsets of the bits of the 2-neutral set. Since a 
large fraction of these pairs conform to Sr , while the probability of random pairs 
is much smaller, it is advisable to use these pairs for the attack. 

How r and k{r) are determined? Starting the search from round r we can 
calculate the probability 

79 

i—r 

of successful corrections in all the rounds given messages that conform to Sr 
(where pi is the probability of successful corrections in round i, or 1 if no cor- 
rection is performed). When the disturbance vector has zeroes at the last five 
rounds, p(r) is the probability for getting a collision (otherwise, a near-collision 
is expected). The number of conforming pairs we need to test is expected to be 
about l/p(r). Since every subset of k{r) neutral bits can be used, we can try 
pairs using with these bits. Thus, we should select r that satisfies 2^^’’) > l/p(r). 
In fact, we select the largest r that satisfies this inequality. 
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4.1 Finding 2-Neutral Sets of Bits of a Given Pair 

The following algorithm finds a 2-neutral set of bits. The input to the algorithm 
is a pair of messages M, M' with a difference A that conforms to 6r- The 
algorithm generates 512 candidate pairs by complementing single bits in M, M' 
(leaving their difference unchanged). Let e^, i G {0,...,511}, denote a message 
whose value has a single bit ‘1’, and 511 bits ‘O’, where the bit ‘1’ is in the z’th 
location. The candidate pairs can be written by 

(M©e%M'0eO, z G {0, . . . , 511}. 

Each candidate pair is tested to conform to 5r- If a candidate pair conforms to 
5r, then bit z is a neutral bit. 

In order to find a 2-neutral set of bits we define a graph whose vertices cor- 
respond to the neutral bits. We then add an edge for each pair of bits whose 
simultaneous complementations does not affect conformance. This graph de- 
scribes all the bits whose complementation does not affect conformance, and 
all the pairs of these bits whose simultaneous complementations does not affect 
conformance. We are now interested to find the maximal clique (or an almost 
maximal clique) in this graph, i.e., the maximal subset of vertices for which any 
vertex in the subset is connected to any other vertex in the subset by an edge. 
Although in general finding a maximal clique is an NP-complete problem, in our 
case finding a large enough clique is not difficult, as many vertices are connected 
to all other vertices by edges. 

We are now ready to make some very important observations, on which the 
success of our attack is based: 

Observation 1 When we perform a search with the set of message pairs, 
about 1/8 of the pairs (i.e., about pairs) conform to 5r- 

Let 

r' — 1 

p{r ^ r') = Pi 

j=r 

be the probability that a pair that conforms to 6r also conforms to Sr> , and notice 
that p{r) = p{r 80). 

Observation 2 Let r and r' be some rounds where p{r r') « By 

trying the generated message pairs, we get the expected number of pairs 
conforming to <5^/, but surprisingly a fraction of the pairs that conform to Sr' 
also conform to 6r'+i, which we would expect to get with a larger set of about 
2 k(r)+a^ where 2 < I < 4 and 3 < a < 8. 

In the actual attack we improve the algorithm further by searching for pairs 
of non-neutral bits whose simultaneous complementation create pairs that also 
conform to <5^ (and similarly search for triplets of bits, or larger sets of bits). 
Using this method we receive a larger number of neutral “bits” that can be used 
for our analysis with higher rounds. 
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Table 6. A Pair of Messages with 40 Neutral Bits and Simultaneous Neutral Bits for 
r = 22 (the bits are numbered in the range 0, . . . , 511) 



M= 


19EF75A8r 

2F84C143^ 

5B1A47EB,, 

26D8CDBC,r 


D2F24D9A,r 

D74B9DDCr 

6212C8F2r 

AB8A8248^ 


8F179A7D^ 

186710577:^ 

3B2D04F8r 

F347E87U 


1A295690^ 

8107056F,, 

F5581AB0^ 

46278F39^ 


M’= 


19EF75A8r 


D2F24D9A,r 


8F179A7D^ 


1A295692^ 




2F84C103^ 


D74B9DDEr 


98C10577:, 


0107056F,, 




DBIA47EF^ 


6212C3B2r 


3B2D04F8r 


75581AF0^ 




AQD8CDBE,r 


AB3A324A^ 


7347E88U 


C6278F3B^ 


Singles: 


388 457 


458 459 


464 484 


485 489 




490 491 

507 


494 495 


496 499 


501 506 


Pairs: 


301 264 
500 463 


461 424 
502 428 


493 456 


497 460 


Triplets: 296 175 138 


341 220 183 


376 255 218 


386 265 228 




391 270 233 
492 334 297 


462 426 425 


466 429 393 


488 483 478 


Quadru- 

plets: 


229 137 108 71 331 210 116 79 
455 435 434 397 505 437 431 400 


364 338 337 300 




Quintu- 

plets: 


471 470 469 433 395 
504 480 451 438 420 


487 465 344 343 306 



An example of a pair of messages with its neutral set of bits, is given in 
Table 6. In this example r = 22 and the size of the neutral set is fc(22) = 40. 
In particular, the quadruplet 229 137 108 71 consists of bits of rounds 7, 4, 3, 
and 2, so the changes at round 2 are successfully corrected by the changes in the 
other rounds so the difference is unaffected for 20 rounds, and even from round 
7 there are 15 additional rounds whose difference is not affected. 

Observation 3 In many cases pairs of bits that are simultaneously neutral, but 
each bit is not, are of the form Wf , mod 32 sj^^ll I’s. Similarly triplets 

(and quartets, etc.) of non-neutral bits, whose simultaneous complementation is 

neutral are of the same form, i.e., IT/ , and IT//; for two different small 

Vs. We call such sets of bits simultaneous-neutral sets, and in case of pairs of 
bits simultaneous-neutral pairs. 



4.2 Finding a Pair with a Larger 2-Neutral Set 

For the attack, we are interested in finding a message pair with a maximal 2- 
neutral set of bits. Assume that we are already given a pair conforming to Sr. We 
are now modifying this pair slightly in order to get another pair that conforms 
to Sr with a larger 2-neutral set of bits. 

This algorithm takes the given message pair as a base, modifies it in a certain 
way that we describe later, and calls the algorithm that finds the 2-neutral set 
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of the new pair. If the size of this set is larger than the set of the base pair, the 
base pair is replaced by the new pair, and the algorithm restarts with the new 
pair as the base. 

By modifying the current message pair we create a new pair that hopefully 
conforms to Sr ■ The modifications are made in bits that maximize the probability 
of success. In order to create a new conforming pair, we modify several neutral 
bits (and simultaneously-neutral sets of bits), and check whether the resultant 
pair conforms to Sr- 

In some cases we can improve further. In rounds where bit I differs, i.e., 
Wl yf the carry from bit I to the next can create a difference in the next 
bit. The probability for this carry to make this difference is 1/2. In such case 
Ai+i 0 yf 00000002x, and thus the new pair does not conform to Sr- 



Observation 4 If the differences of the carry is changed, the change can be 
canceled by complementing and or by complementing other bits in the 
message that affect indirectly. 



Such bits are also Wfl-y and (which affect Aj^ , and then after the 

rotate operation), or Wf ^2 or pp.(32-50 mod32 ^^/02-5/)mod32 

for other small Vs. Each such complementation has probability 1/2 to cancel the 
difference in the carry. 

This algorithm can be simplified as follows: The algorithm takes as an in- 
put a message and modifies a few subsequent bits in several subsequent words, 
with the shift of five bits as mentioned above. For example, the modified bits 
cover all 2^"^ — 1 (non-empty) subsets of {kbg , . . . , Ibg } U {W^, . . . , Wf} U . . . U 
. . . , kb|®}. Then, the pattern of modification is shifted by all 31 possible 
rotations. Finally, we proceed and make the same analysis starting from W\, 
then W 2 , etc. The modification process ends when the algorithm starts with 
Wio- This simplification lacks consideration of some optimizations and details 
given earlier, whose incorporation is vital for an optimized implementation. 



4.3 Increasing the Number of Conforming Rounds 

In order to start the search at a higher round we need to construct a pair that 
conforms to Sr> , where r' > r. This pair is constructed using the last pair with the 
maximal number of neutral bit we have. The pair undergoes small modifications 
of the form described above. Once a message conforms to Sr> is found, we use 
the algorithms described in Subsections 4.1 and 4.2 to find a 2-neutral set, and 
then to find a pair with the largest 2-neutral set. 



4.4 Final Search 

After computing the 2-neutral set, we start the final search by complementing 
sequentially every subset of the bits in the 2-neutral set (a total of 2^^’’) — 1 trials) . 
Since a large fraction of the resulting pairs of messages conform to Sr, then the 
search effectively starts at round r. If in addition > l/p(r), then we expect 
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Table 7. Probability Summary 



Round Function 


- log Pi 


0, . . . , 19 IF 


25 


20, . . . , 39 XOR 


16 


40, . . . , 59 MAJ 


15 


60, . . . , 79 XOR 


15 



to find a collision or a near-collision, depending on the expected difference after 
r rounds. If > l/p(r ^ r') for some r' , then we expect to find a collision 
(or a near-collision) of r' rounds reduced (or extended) SHA-0. 

5 Results 

In our search we used A that is optimized for finding 82-round collisions (thus 
also near-collisions of 80 rounds). This A is not suitable for finding full collisions 
of 80 rounds, as it has two disturbances at the last five rounds. However, its 
corresponding 80-round probability is much higher than the probability of a 
A that allows a full collision. Although this A cannot provide full collisions, 
it can lead to collisions of 65-round reduced SHA-0 and of 82-round extended 
SHA-0. The overall probability of successful corrections in 82-round SHA-0 is 
p(0 ^ 82) = 2“^^. A probability summary for each set of 20 consecutive rounds 
(i.e., the IF, XOR, MAJ, XOR rounds) is described in Table 7 (in rounds 80 and 
81 the probability is 1 if /go = /si = XOR). Using our technique with r = 22 the 
overall probability is reduced to 2~^^. Our algorithm finds a 2-neutral set with 
40 neutral and simultaneous-neutral bits (see Table 6), thus we expect to find 
near-collisions of the compression function after 73 rounds in two computation 
days on a PC. Our actual findings (using an earlier set of neutral bits) are near- 
collisions of the compression function with a difference of only three bits (of 
A(B A', . . . , E (B E') after 76 rounds (that still conform to Jye), which are also 
near-collisions of the full compression function (but do not conform to <5so)) and 
full collisions of 65-round reduced SHA-0. The near collisions were found after 
about a day of computation for each pair, which is equivalent to a search with 
a complexity of 2^®. Finding 65-round near-collisions take about half an hour. 
Two such pairs of messages (in 32-bit hex words) are: 

1. Ml = 310EEB32 AC418FC2 415D5A54 6FFA5AA9 
5EE5A5F5 7621F42D 8AE2F4CA F7ACF74B 
B144B4E1 5164DF45 C61AD50C D5833699 
6F0BB389 B6468AC5 4D4323F9 86088694 

M[ = 310EEB32 AC418FC2 415D5A54 6FFA5AAB 
5EE5A5B5 7621F42F 0AE2F4CA 77ACF74B 
3144B4E3 5164DF05 C61AD50C 558336D9 
EF0BB38B B6468AC7 CD4323B9 06088696 
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Table 8. Difference of the Hash Results Before and After the Feed-forward (i.e., Aso © 
Aso) • • • ) Eso © -Ego s-iid (^o + Ago) © (Aq + Ago), . . . , (Eq + Ego) © (Eq + Ego)), and 
Their Hamming Weights 





Difference (in hex) 


Weight 


Ml and .M): 




Before: 


00401EA0 00060184 00000400 80000020 80000000 


17 


After: 


01E061A0 00020084 OOOOOEOO 800001E0 80000000 


19 


M 2 and M^: 




Before: 


00C030A4 000E0304 00000403 80000060 80000000 


20 


After: 


004070A4 00020104 00000C07 80000020 80000000 


18 



2. Ma = EF567055 F0722904 009D8999 5AFB3337 
37D5D6A8 9F843D80 69229FB9 06D589AA 
4AD89B67 CFCCCD2C A9BAE20D 6F18C150 
43F89DA4 2E54FE2E AE7B7A15 80A09D3D 

= EF567055 F0722904 009D8999 5AFB3335 
37D5D6E8 9E843D82 E9229FB9 86D589AA 
CAD89B65 CFCCCD6C A9BAE20D EF18C110 
C3F89DA6 2E54FE2C 2E7B7A55 00A09D3F 

The differences of the results of hashing Mi and M 2 with the full SHA-0 are 
described in Table 8 along with the number of differing bits. Tables 9 and 10 
show detailed information of the evolution of differences in each round of the 
compression function, including the expanded messages, their differences, the 
differences © A'_,_j^, the probability of conformance of each round (in log 
form), and the rounds where the values collide, or the number of differing bits 
of the five registers. Both messages collide after 65 rounds, and have only small 
differences afterwards. If we consider SHA-0 reduced to 76 rounds, our results 
show a near collision with difference of only three bits before the feed forward 
and three and four bits difference after the feed forward when using M\ and M 2 ■ 



6 SHA-0 Variants 

In this section we analyze some variants of SHA-0 that show strengths and 
weaknesses of the hash function. 



6.1 Increasing the Number of Rounds 

There are Z\’s that lead to collision after 82 rounds, whose probability p(0 — > 82) 
is considerably larger than the probability p(0 80) of the best A that leads 

to an 80-round collision. Therefore, increasing the number of rounds of SHA-0 
from 80 to 82 would make it much easier to find collisions. 
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Table 9. A Near-Collision and its Differences in the Various Rounds (Mi and M[ are 
formed by the first 16 words of W and W') 



Round (i) 


Wi 




exp(^) 


A^_|_l 0 A^_|_^ 


— log 


Diff Bits 


0 


310EEB32x 


310BBB32a: 


00000000a 


00000000a 


0 


collision 


1 


AC418FC2x 


AC418FC2a; 


00000000a 


00000000a 


0 


collision 


2 


415D5A54x 


415B5A54o; 


00000000a 


00000000a 


0 


collision 


3 


6FFA5AA9x 


QFFAZAABx 


00000002a 


00000002a 




1 


4 


5EE5A5F5x 


5BB5A5B5x 


00000040a 


00000000a 


0 


1 


5 


7621F42Dx 


7621F42Fo; 


00000002a 


00000000a 


2 


1 


6 


8AE2F4CAx 


0AB2F4C Ax 


80000000a 


00000000a 




1 


7 


F7ACF74Bx 


77ACF74Bx 


80000000a 


00000000a 




1 


8 


B144B4Elx 


3144B4B3x 


80000002a 


00000002a 




1 


9 


5164DF45x 


5164BF05a 


00000040a 


00000000a 


0 


1 


10 


C61AD50Cx 


C61AD50Ca; 


00000000a 


00000002a 


3 


2 


11 


D5833699x 


558336B9a: 


80000040a 


00000000a 




2 


12 


6F0BB389x 


BF0BB38Bx 


80000002a 


00000000a 


3 


2 


13 


B6468AC5x 


B6468AC7x 


00000002a 


00000002a 


2 


2 


14 


4D4323F9x 


CD4323B9x 


80000040a 


00000000a 




2 


15 


86088694a; 


06088696a 


80000002a 


00000000a 


2 


1 


16 


77518F42a; 


F7518F42a 


80000000a 


00000000a 




1 


17 


DF9C29D7x 


5F9C29B5a 


80000002a 


00000002a 


2 


2 


18 


5FAAAC39x 


DFAAAC7Bx 


80000042a 


00000002a 




2 


19 


BB09175Fx 


BB09171Fa 


00000040a 


00000002a 


3 


3 


20 


6490CB61a: 


F490CB21a 


80000040a 


00000002a 


2 


4 


21 


6861259Aa; 


686125B8a 


00000042a 


00000000a 




4 


22 


CDEC748Dx 


4BBC748Fa 


80000002a 


00000000a 




3 


23 


445065FBx 


C45065F9a 


80000002a 


00000002a 




3 


24 


686ECB35x 


686FCB75a 


00000040a 


00000000a 


0 


2 


25 


9697B486x 


1697B486a 


80000000a 


00000002a 


2 


2 


26 


B2EBAF47x 


32BBAF05x 


80000042a 


00000002a 




3 


27 


B0A2Q038x 


30A26074a 


80000042a 


00000000a 




3 


28 


D04FEF97x 


B04FFF95x 


00000002a 


00000000a 




2 


29 


EAC4888Cx 


FAC4868Ca 


00000000a 


00000000a 


0 


2 


30 


478CB800x 


475CB800a 


00000000a 


00000000a 


0 


1 


31 


CD8B252Fx 


4D8B232Fx 


80000000a 


00000000a 


0 


collision 


32 


AA516EC2x 


AA516FC0a 


00000002a 


00000002a 




1 


33 


B55B320Ex 


B55F324Ca 


00000042a 


00000002a 




2 


34 


445ABD30x 


445AFD70a 


00000040a 


00000002a 


2 


3 


35 


C99B3C31x 


499B3C73a 


80000042a 


00000000a 




3 


36 


CC6D6275x 


CCQDQ277x 


00000002a 


00000000a 




3 


37 


82AF2BDDx 


02AF2BDDx 


80000000a 


00000000a 


0 


2 


38 


2B453B89a 


2B453B89a 


00000000a 


00000000a 


0 


1 


39 


B3219627a; 


53219627a 


80000000a 


00000000a 


0 


collision 


40 


F27B218Dx 


F27B216Ba 


00000000a 


00000000a 


0 


collision 


41 


B82BDD37x 


B82BDD37x 


00000000a 


00000000a 


0 


collision 


42 


F5DF3BC7x 


F5DF3BC7x 


00000000a 


00000000a 


0 


collision 


43 


6186FBB6x 


6186FBB6a 


00000000a 


00000000a 


0 


collision 


44 


E350B8D5x 


F350F8B5a 


00000000a 


00000000a 


0 


collision 


45 


503FB3B9x 


503FB3B9a 


00000000a 


00000000a 


0 


collision 


46 


A7CB16ADx 


A7CB16AFx 


00000002a 


00000002a 




1 


47 


48A469D3x 


48A46991a 


00000042a 


00000002a 




2 


48 


4C4F112Qx 


4C4F1164a 


00000042a 


00000000a 




2 


49 


6325C5A5x 


E325C5A7a 


80000002a 


00000000a 


2 


2 


50 


354CDD51x 


354CDB51a 


00000000a 


00000000a 


0 


2 


51 


66FDFD2Cx 


66FDFD2Cx 


00000000a 


00000000a 




1 


52 


675D748Cx 


B78D748Cx 


80000000a 


00000000a 


0 


collision 


53 


34FDD312x 


34FDD312x 


00000000a 


00000000a 


0 


collision 


54 


180DF168x 


180DF167a 


00000002a 


00000002a 




1 


55 


44F6564Fx 


44F6560Da 


00000042a 


00000002a 




2 


56 


7F16D89Bx 


7F16D8BCa 


00000042a 


00000000a 




2 


57 


A2801211a; 


22801211a 


80000000a 


00000002a 


3 


3 


58 


6735580Ca; 


6735584Ea 


00000042a 


00000002a 




4 


59 


28526DBDx 


28526DAFa 


00000042a 


00000000a 


2 


3 


60 


814398E5ai 


814398E7a 


00000002a 


00000000a 




2 


61 


4B535174X 


4B535174a 


00000000a 


00000000a 


0 


2 


62 


DBDB9B03x 


DBDB9B03x 


00000000a 


00000000a 


0 


1 


63 


BB3462DCx 


6E3462DCx 


80000000a 


00000000a 


0 


collision 


64 


4D46459Dx 


4D46459Dx 


00000000a 


00000000a 


0 


collision 


65 


7C86B19Bx 


7C86B199a 


00000002a 


00000002a 




1 


66 


DBlQ93QDx 


DB10934Fa 


00000042a 


00000002a 




2 


67 


3714064Ea; 


3714060Ca 


00000042a 


00000000a 




2 


68 


8295AC97x 


0295AC95a 


80000002a 


00000000a 




2 


69 


E0484724a; 


E0484724a 


00000000a 


00000000a 


0 


2 


70 


8BDlB4B6x 


8BDlB4B4x 


00000002a 


00000002a 




2 


71 


8AD78A15x 


0AD78A55x 


80000040a 


00000000a 


0 


1 


72 


B52D822Bx 


B32D822Bx 


00000000a 


00000002a 


2 


2 


73 


7D857ADlx 


FB857A93a 


80000042a 


00000002a 




3 


74 


B7BlD9Flx 


37BlB9B3a 


80000042a 


00000000a 




3 


75 


B138B8FCx 


B138B8FCa 


00000000a 


00000002a 


2 


3 


76 


A58DD5AQx 


A38DDbB2x 


00000042a 


00000082a 




5 


77 


F29BAD7Dx 


F29BAD3Fx 


00000042a 


00001000a 




5 


78 


FC71D2D4x 


FC71D2D6x 


00000002a 


00060184a 




9 


79 


BDB88CF2x 


BDB88CF2x 


00000000a 


00401FA0a 


0 


17 
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Table 10. A Near-Collision and its Differences in the Various Rounds (M2 and M^ 
are formed by the first 16 words of W and W') 



Round (i) 


Wi 




exp (..4) 


A^_|_l 0 A'_|_^ 


- log Pi 


Diff Bits 


0 


EF567055a; 


BF567055® 


00000000® 


00000000® 


0 


collision 


1 


F0722904a; 


F0722904® 


00000000® 


00000000® 


0 


collision 


2 


009D8999a: 


009D8999® 


00000000® 


00000000® 


0 


collision 


3 


5AFB3337a: 


5AFB3335® 


00000002® 


00000002® 


1 


1 


4 


37D5D6A&X 


37D5B6B8® 


00000040® 


00000000® 


0 


1 


5 


9E843D80x 


9B843D82® 


00000002® 


00000000® 


2 


1 


6 


69229FB9x 


B9229FB9® 


80000000® 


00000000® 


1 


1 


7 


06D589AAx 


86D589AA® 


80000000® 


00000000® 


1 


1 


8 


4AD89B67x 


CAB89B65® 


80000002® 


00000002® 


1 


1 


9 


CFCCCD2Cx 


CFCCCDGCx 


00000040® 


00000000® 


0 


1 


10 


A9BAE2QDx 


A9BAE20Dx 


00000000® 


00000002® 


3 


2 


11 


6F18C150a: 


BF18C110® 


80000040® 


00000000® 


1 


2 


12 


43F89DA4x 


C3F89BA6® 


80000002® 


00000000® 


3 


2 


13 


2E54FE2Ex 


2B54FB2C® 


00000002® 


00000002® 


2 


2 


14 


AE7B7A13x 


2B7B7A55® 


80000040® 


00000000® 


1 


2 


15 


80A09D3Dx 


00A09B3F® 


80000002® 


00000000® 


2 


1 


16 


8B479C85x 


0B479C85® 


80000000® 


00000000® 


1 


1 


17 


CB3EAD0Ax 


4B3BAD08® 


80000002® 


00000002® 


2 


2 


18 


lE522001x 


9B522043® 


80000042® 


00000002® 


1 


2 


19 


20205362^ 


20205322® 


00000040® 


00000002® 


3 


3 


20 


I?63179BFx 


563179FF® 


80000040® 


00000002® 


2 


4 


21 


A8576A05a, 


A8576A47® 


00000042® 


00000000® 


1 


4 


22 


ADA12DA9x 


2DA12DAB® 


80000002® 


00000000® 


1 


3 


23 


9F88A004x 


1F88A006® 


80000002® 


00000002® 


1 


3 


24 


C0728FEAx 


C0728FAA® 


00000040® 


00000000® 


0 


2 


25 


CQ4B8CDFx 


464B8CBF® 


80000000® 


00000002® 


2 


2 


26 


6B98FFACx 


EB98FFEEx 


80000042® 


00000002® 


1 


3 


27 


AllEE3F6x 


211BB3B4® 


80000042® 


00000000® 


1 


3 


28 


FDF912Dlx 


FBF912D3® 


00000002® 


00000000® 


1 


2 


29 


6D3BF6BAx 


6D3BF6BA® 


00000000® 


00000000® 


0 


2 


30 


298328CFx 


298328CF® 


00000000® 


00000000® 


0 


1 


31 


29EF82E2x 


A9BF82B2® 


80000000® 


00000000® 


0 


collision 


32 


38^CC3D4x 


385CC5D6® 


00000002® 


00000002® 


1 


1 


33 


04B65A78x 


04D65A3A® 


00000042® 


00000002® 


1 


2 


34 


8A1424F0a: 


8A1424B0® 


00000040® 


00000002® 


2 


3 


35 


11351F45x 


91351F07® 


80000042® 


00000000® 


1 


3 


36 


82BFlCBFa; 


82BF1CBD® 


00000002® 


00000000® 


1 


3 


37 


B0F0184Bx 


50F0184B® 


80000000® 


00000000® 


0 


2 


38 


556595C9a, 


556595C9® 


00000000® 


00000000® 


0 


1 


39 


F293B286x 


7293B286® 


80000000® 


00000000® 


0 


collision 


40 


4346ADB9a; 


4346ABD9® 


00000000® 


00000000® 


0 


collision 


41 


36B6A098a: 


36B6A098® 


00000000® 


00000000® 


0 


collision 


42 


EEE67B0Bx 


BBB67B0B® 


00000000® 


00000000® 


0 


collision 


43 


9E56A7D0x 


9B56A7B0® 


00000000® 


00000000® 


0 


collision 


44 


60238639x 


60238639® 


00000000® 


00000000® 


0 


collision 


45 


7AC21718X 


7AC21718® 


00000000® 


00000000® 


0 


collision 


46 


DAECDF02x 


DAECDFOOx 


00000002® 


00000002® 


1 


1 


47 


BF89EC25x 


BF89BC67® 


00000042® 


00000002® 


1 


2 


48 


8BCC5BE5x 


8BCC5BA7® 


00000042® 


00000000® 


1 


2 


49 


F9E93AA7x 


79B93AA5® 


80000002® 


00000000® 


2 


2 


50 


59C4AF61x 


59C4AF61® 


00000000® 


00000000® 


0 


2 


51 


D45FFB3Bx 


D45FFB3B® 


00000000® 


00000000® 


1 


1 


52 


4B1035B8x 


CB1035B8® 


80000000® 


00000000® 


0 


collision 


53 


016512B4a; 


016512B4® 


00000000® 


00000000® 


0 


collision 


54 


18901C29® 


18901C2B® 


00000002® 


00000002® 


1 


1 


55 


35BCCBD3a; 


35BCCB91® 


00000042® 


00000002® 


1 


2 


56 


27099F83a; 


27099FC1® 


00000042® 


00000000® 


1 


2 


57 


49C921C6a; 


C9C921C6® 


80000000® 


00000002® 


3 


3 


58 


E2ED9980x 


B2BD99C2® 


00000042® 


00000002® 


1 


4 


59 


17C2D470x 


17C2D432® 


00000042® 


00000000® 


2 


3 


60 


BD164D15x 


BB164D17® 


00000002® 


00000000® 


1 


2 


61 


26C37009® 


26C37009® 


00000000® 


00000000® 


0 


2 


62 


5B724CBBa; 


5B724CBB® 


00000000® 


00000000® 


0 


1 


63 


CB9A5044a; 


4B9A5044® 


80000000® 


00000000® 


0 


collision 


64 


D3C21B0Ba, 


B3C21B0B® 


00000000® 


00000000® 


0 


collision 


65 


3A0DACB4a; 


3A0BACB6® 


00000002® 


00000002® 


1 


1 


66 


3BA3534Dx 


3BA3530F® 


00000042® 


00000002® 


1 


2 


67 


113A26Fla; 


113A26B3® 


00000042® 


00000000® 


1 


2 


68 


D19BC830a; 


519BC832® 


80000002® 


00000000® 


1 


2 


69 


29B9FA23® 


29B9FA23® 


00000000® 


00000000® 


0 


2 


70 


70DlB9B5a; 


70B1B9B7® 


00000002® 


00000002® 


1 


2 


71 


63247261® 


B3247221® 


80000040® 


00000000® 


0 


1 


72 


3FCFE72Ex 


3FCFB72B® 


00000000® 


00000002® 


2 


2 


73 


14D7B0B7® 


94B7B0F5® 


80000042® 


00000002® 


1 


3 


74 


077CF5B9® 


877CF5FB® 


80000042® 


00000000® 


1 


3 


75 


1FF465A6® 


1FF465A6® 


00000000® 


00000002® 


2 


3 


76 


2628792C® 


2628796B® 


00000042® 


00000182® 


1 


6 


77 


C6CC2FD7x 


C6CC2F95® 


00000042® 


0000100c® 


1 


8 


78 


B295DBF3® 


B295BBF1® 


00000002® 


000B0304® 


1 


13 


79 


B19BF7BB® 


B19BF7BB® 


00000000® 


00C030A4® 


0 


20 
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6.2 Different Order of Functions 

Modifying the order of the fi functions can reduce the complexity of the at- 
tack. For example, if the order would be IF, XOR, MAJ, XOR, . . . , IF, XOR, 
MAJ, XOR, where in each round the function changes, the restrictions caused 
by two consecutive IF round would be removed, and thus A’s with much higher 
probabilities could be chosen. 

6.3 SHA-1 

Since in SHA-1 Equation (1) is replaced by 



IF, =ROL1(IF,_3©IF.-8©IR*-i4©IR*-i 6), i = 16, . . . , 79. (3) 

which makes the mixing of the message bits much more effective, and since the 
techniques used in this paper uses the properties inherited from equation (1), 
the presented attacks are not applicable to SHA-1. 

7 Summary 

In this paper we described how to find near-collisions of SHA-0 using the surpris- 
ing existence of many neutral bits. The near-collisions were found within a day 
on our PC. Our technique also improves the complexity of finding full collisions 
of SHA-0, but we concentrated on near-collisions due to the very low complexity 
of finding them. The observation that the strength of SHA-0 is not monotonous 
with the number of rounds is used here to find near-collisions of 80 rounds by 
applying the much more efficient attack on SHA-0 extended to 82 rounds. We 
expect that finding full collisions will take a month of computation time, and 
intend to check it in the continuation of our research. Due to the additional 
rotate operation, the results of this paper are not applicable to SHA-1. 
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Abstract. In this paper, we study the existence of multicollisions in it- 
erated hash functions. We show that finding multicollisions, i.e. r-tuples 
of messages that all hash to the same value, is not much harder than 
finding ordinary collisions, i.e. pairs of messages, even for extremely large 
values of r. More precisely, the ratio of the complexities of the attacks 
is approximately equal to the logarithm of r. Then, using large multi- 
collisions as a tool, we solve a long standing open problem and prove 
that concatenating the results of several iterated hash functions in or- 
der to build a larger one does not yield a secure construction. We also 
discuss the potential impact of our attack on several published schemes. 
Quite surprisingly, for subtle reasons, the schemes we study happen to 
be immune to our attack. 



1 Introduction 

One-Way hash functions are widely used cryptographic primitives, they operate 
on messages of almost arbitrary length^ and output a fixed size value. Cryp- 
tographic hash functions should satisfy many security properties, such as the 
impossibility from a given hash to recover an associated message. However, the 
main security requirement for a hash function is its collision resistance. Infor- 
mally, given a good hash function, no attacker should be able to find a pair of 
different messages M and M' leading to identical hash values. It is a well-known 
fact that all hash functions suffer from a generic birthday paradox based attack. 
More precisely, if iL is a hash function that outputs n-bit values, then among the 
hash values of 2”/^ different messages, there exists a collision with non negligible 
probability. For this reason, hash functions that output values smaller than 160 
bits are considered as deprecated. Yet, in the past, 128-bit hash functions were 
proposed and for legacy reasons they are still encountered in applications. 

In practice, building a cryptographic function with an input of variable size 
is not a simple task. For this reason, most hash functions are based on an it- 
erated construction that makes use of a so-called compression function, whose 
inputs have fixed sizes. Examples of such a construction are Snefru [7], MD4 [12], 
MD5 [13] or SHA [9]. In this paper, we specifically study one-way hash- functions 
built by iterating a compression function. 

^ The length is often bounded by a very large number such as 2®^. However, this is 
irrelevant for the attacks presented here. 

M. Franklin (Ed.): CRYPTO 2004, LNCS 3152, pp. 306-316, 2004. 
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Our main goal is to solve a long standing open problem: Is the concatenation 
of two independent hash values more secure than a single hash-value ? This 
question is of general interest and has appeared in many contexts. As far as we 
know, this construction first appeared as a generic transform in the PhD thesis 
of B. Preneel [10] and was called cascading. It was presented there as a mean to 
increase the security level at the cost of a decreased performance. 

In fact, this idea of cascading hash functions is likely to be encountered in 
applications, for example, a construction called SHA-lx was used at some point 
in PGP and involves the computation of two SHA-1 values with a different 
set of initial constants. Similarly, the authors of RIPEMD [4] propose optional 
extensions of their hash functions to 256 and 320 bits values. In this case, the use 
of two hashing is extremely efficient since the original 128 and 160 bits algorithms 
already involve two parallel hashing whose results are normally added together. 

Yet, according to [4], one should not expect to improve the security level with 
these constructions since unwanted dependencies between two slightly different 
instances of the same hash function may yield unforeseen attacks. In the same 
vein, a length doubling transform is suggested in the hash function chapter 
of [14] , together with a warning that while no attacks are known several people 
have serious reservations about the construct. 

As a consequence, the security of hash functions cascading is not very clear. 
Roughly, the cryptographic folklore states that the construction is good when 
two “independent” hash functions are cascaded. Clearly, this is true for random 
oracles and the generalization seems natural. For reference about this folklore 
knowledge, the interested reader may look up fact 9-27 in [6], that states that 
such a cascade is secure and that one could hope for a security of the order of 
the product of the security of the initial hash functions. However, we show in 
section 4 that this construction is in fact insecure, whenever an iterated hash 
function is involved in the cascading. Even cascading a 160-bit iterated hash 
function and a 160-bit random oracle does not really increase security above the 
initial 2®° level for collision resistance and above 2^®° for preimage (or second 
preimage) resistance. 

In order to solve this problem and prove that cascading two hash values is in 
fact insecure, we first address the simpler question of constructed multicollisions 
in an iterated hash function. This notion of multicollisions was first used by 
Merkle in [8] to study the security of a hash function based on DES. A related 
security property, namely r-collision freeness, has been suggested as a useful 
tool for building efficient cryptographic primitives. It was used for the micro- 
payment scheme Micromint of Ri vest and Shamir [11], for identification schemes 
by Girault and Stern in [5] and for signature schemes by Brickell and al. in [1]. 
The intuition behind this problem is that constructing r different messages with 
the same hash values should be much harder than constructing only two such 
messages. Once again, this is true when using random oracles. However, when 
iterated hash functions are involved, this intuition is false and multicollisions 
can be easily constructed. 

The paper is organized as follows. In section 2 we recall some basic facts 
about iterated hash function and the possible security properties of hash func- 
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tions. In section 3, we describe the basic attack for constructing multicollisions 
in iterated hash functions. In section 4, we use this attack as a tool and show 
that the security obtained when cascading several hash values is far from opti- 
mal. Unintuitively, this attack works even when two completely unrelated hash 
functions are cascaded and does not stem from any unforeseen correlation be- 
tween similar hash functions. Finally, in section 5, we study the impact of our 
construction on several concrete schemes that rely on cascading or multicolli- 
sion resistance. Very surprisingly, in all published examples, we encounter some 
obstruction which prevents the attack from working. 



2 Basic Facts About Iterated Hash Functions 

An iterated hash function H is built by iterating a basic compression function. 
The compression function / takes two inputs, a chaining variable and a message 
block, it outputs the next value of the chaining variable. Before processing, the 
message is first padded and split into elementary blocks. The padding itself is 
generally performed by appending a single ’1’ bit, followed by as many ’0’ bits 
as needed. To avoid some attacks, the binary encoding of the message length 
can also be added to complete the padding. This is called a Merkle-Damgard 
strengthening [8,3]. Once the padded message is split into £ blocks. Mi, ..., 
Me, the chaining variable is set to some fixed initial value and the iteration is 
performed. To summarize, the hashing process works as follows: 

— Pad the original message and split it into blocks Mi, . . . , Mg. 

— Set Ho to the initial value IV. 

— For i from 1 to £, let Hi = f{Hi_i,Mi). 

— Output H{M) = He- 

Given such an iterated hash function, defining its security is a tricky matter. 
Ideally, the hash function is often seen as a concrete substitute for random oracles 
in cryptographic construction. Of course, it is well known (see [2]) that this 
extreme level of security is in fact impossible to reach. Thus, the security level of 
hash function is usually characterized by considering “easier” security goals. The 
most frequently encountered goal is the impossibility for a bounded adversary 
to find a collision in the hash function. We recall that a collision is a pair of 
different messages M and M' such that H{M) = H{M'). Due to the birthday 
paradox, there is a generic attack that find collisions after about 2"/^ evaluations 
of the hash function, where n is the size in bits of the hash values. The attack 
works by randomly choosing messages and computing their hash values until a 
collision occurs. Typically, with iterated hash functions, the size of messages’ 
blocks is often larger than the size of the hash values themselves, and this attack 
usually works on the compression function itself. Other important security goals 
for hash functions are preimage resistance and second-preimage resistance. An 
attack against preimage resistance is an attack that, given some target value 
y, finds a message M such that H{M) = y. An attack against second preimage 
resistance, given a message M, finds another message such that H{M) = H(M'). 
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The best generic attacks against these security goals cost about 2" evaluation 
of the function H. 

The notion of collision can easily be generalized to that of r-way collision 
(or, for short, r-collision) . A r-collision is simply a r-tuple of messages 

such that = ••• = Assuming as above that the 

hash values behave almost randomly, finding an r-collision could be done by 
hashing about messages. When r becomes large, this tends to 2”. Due 

to this fact, relying on r-collision freeness in cryptographic construction seems a 
good way to gain more security without increasing the size of the hash functions. 
This is very tempting in some applications such as identification schemes [5] and 
signature schemes [1]. The next section demonstrates that, in fact, r-collisions in 
iterated hash functions are not much harder to construct than ordinary collisions, 
even for very large values of r. 

3 Constructing Multicollisions 

In this section, we show that constructing multicollisions in iterated hash func- 
tion can be done quite efficiently. More precisely, constructing 2*-collisions costs 
t times as much as building ordinary 2-collisions. Before describing the attack, 
let us remark that the padding process can be ignored as long as we consider 
collisions between messages of the same length. Indeed, in that case, the blocks 
of padding are identical. Moreover, if the intermediate hash chaining values col- 
lide at some point in the hash computation of two messages, the following values 
remain equal as soon as the ends of the messages are identical. Thus, on mes- 
sages of the same length, collisions without the padding clearly lead to collisions 
with the padding. 

For simplicity of exposure, we assume that the size of the message blocks is 
bigger than the size of the hash (and chaining) values. However, the attack can 
be easily generalized to the other case. We also assume that we can access a 
collision finding machine C, that given as input a chaining value h outputs two 
different blocks B and B' such that f{h,B) = f{h,B'). This collision finding 
machine may use the generic birthday attack or any specific attack based on a 
weakness of /. The most relevant property is that C should work properly for 
all chaining values^. To illustrate the basic idea, we first show how 4-collisions 
can be obtained with two calls to C. Starting from the initial value IV, we use a 
first call to C to obtain two different blocks, Bq and B^ that yield a collision, i.e. 
f{IV, Bq) = f{IV, Bq). Let z denotes this common value and using a second call 
to C, find two other blocks B\ and B[ such that f{z,Bi) = f{z,B[). Putting 
these two steps together, we obtain the following 4-collision: 

fifilV, Bo), Hi) = fifilV, Bo), B[) = fifilV, H'), Hi) = f{f{IV, H' ), B[). 

We now claim that this basic idea can be extended to much larger collisions 
by using more calls to the machine C. More precisely, using t calls, we can build 
2*-collisions in H. The attack works as follows: 

Or at least on a fixed proportion of them. 



2 
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— Let ho be equal to the initial value IV of H. 

— For i from 1 to t do: 

• Call C and find Bi and B[ such that f{hi-i,Bi) = f{hi-i,B'^). 

• Let ht = f{h^-l,Bi). 

— Pad and output the 2‘ messages of the form {bi,. . . ,bt, Padding) where bi is 
one of the two blocks Bi or B[. 

Clearly, the 2* different messages built as above all reach the same final value. 
In fact, they have an even stronger property. Namely, all the intermediate hash 
values are equal, since all of the 2‘ hashing processes go through ho, h\, . . . , 
ht ■ A schematic representation of these 2* messages together with their common 
intermediate hash values is drawn in figure 1. 



Bi B2 B3 Bi 

ho <c[i> <ci> ^2 <ci> ^3 <r> hi 

B[ B'2 B'o B'i 



Bt 

ht-i ht 

B't 



Fig. 1. Schematic representation of multicollision construction 



Some generalizations. If / works on messages blocks which are smaller that 
the chaining values, the natural way to proceed is to group a few consecutive 
applications of /. For example, we can consider the function i?i, B 2 ) = 

f{f{h, Bi), B 2 ) which composes two rounds of the compression function. As soon 
as the total size of the input blocks exceed the size of one chaining value, we can 
apply the original attack to the composed compression function. 

Another generalization is to build 2*-collisions from a 2-collision attack ma- 
chine C that works only on a fixed proportion e of the chaining values. Of 
course, this is not the case with the generic birthday attack, however, it may 
happen with some specific attacks. In that case, the basic attack described above 
only works with probability e*. Indeed, if any of the hi does not belong to 
the set of chaining values that C can attack, we are in trouble. However, this 
bad behavior can be easily corrected by inserted a randomization step between 
two consecutive applications of C . Namely, after finding Bi and B[ such that 
f{hi-i,Bi) = f{hi-i,Bl), choose a random block Ri and let: 

ht = f{f{hi-i,Bi),Ri). 

If hi fails to be in the scope of C, change Ri to get another candidate. Altogether, 
this randomization technique leads to a global complexity of the attack of the 
order of t/e calls to C. 

4 On the Security of Cascaded Hash Functions 

A natural construction to build large hash values is to concatenate several smaller 
hashes. For example, given two hash functions F and G, it seems reasonable given 
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a message M to form the large hash value (F(M)||G(M)). In this construction, 
F and G can either be two completely different hash functions or two slightly 
different instances of the same hash function^. If F and G are good iterated hash 
functions with no attack better than the generic birthday paradox attack, we 
claim that the hash function F\\G obtained by concatenating F and G is not 
really more secure that F or G by itself. Moreover, this result applies both to 
collision resistance, preimage resistance and second preimage resistance. 



4.1 Collision Resistance 

Assume that F outputs an n/-bit hash value and G an rig-bit value. Then, with 
respect to collision resistance, the security level of F is 2"^" and the level of 
G is If F||G was a good hash function, the complexity of the best attack 

would be 2 We claim that there exists a much better attack which find 

collisions on F||G with complexity of the order of rig2"^/^ -I- 2”^/^ if ^ 
(respectively n/2”^/^ -I- 2”-f/^ if n/ > rig). Assuming than n/ < rig, the attack 
works as follows. 

First, using the multicollision algorithm of section 3 with t equal to rig/ 2 
rounded up, construct a 2Ccollision on F. This costs t calls to the basic birthday 
paradox attack on the compression function of /, i.e. about operations. 

This yields 2* different messages with the same hash value on the F side. Since 
t > ^a/2, we can perform direct application of the birthday paradox on this set 
of 2* elements and, with reasonable probability, expect that a collision occurs 
among the rig-bit hashes of these 2* messages by G. To increase the probability 
of success, it suffices to increase the value of t and add a few more calls to the 
basic attack on F. 

Note that when evaluating the complexity of the attack, one must take into 
account the contribution of applying G to 2‘ different messages of size t. With 
a naive implementation, this would cost t2* calls to the compression function 
of G. However, using the tree structure of the messages, this can be reduced to 
2* evaluations, assuming that the compression functions of F and G operate on 
the same size of blocks. Otherwise, it is necessary to add some padding between 
blocks in order to resynchronize the two functions. 

A very important fact about this attack is that it does not require of G to be 
an iterative hash function. Any hash function will do, and this attack on cascaded 
hash works even when G is replaced by a random oracle^. Since a random oracle 
is independent from any function, this shows that the folklore knowledge about 
cascading hash functions is false. Thus, at least in that case, cascading two 
good and independent hash functions does not significatively improve collision 
resistance. 

® E.g., two instances of SHA-1 with different constants. 

^ The only difference in that case is the fact that the evaluations of G on the 2* 
messages can no longer be simplified. As a consequence, assuming that the cost of 
calling the random oracle G is linear in the size of the message, the contribution of 
G to the complexity becomes 
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4.2 Preimage and Second-Preimage Resistance 

Concerning preimage resistance, it is already known that cascading two hash 
functions is, at least in some cases, the cascade is no stronger than the weakest 
hash function. Indeed, assume that we are hashing messages from a relatively 
small set, say a set of 2™ messages. Clearly, the best generic attack to find a 
preimage in that case is to perform exhaustive search on the set of messages, 
which costs 2"* steps. Assume that the output of each the two hash functions 
being cascaded is larger than m bit and that on this set of messages, one of the 
two hash functions, say F, has a shortcut attack. Then, we can clearly use this 
attack to recover a candidate preimage. Once this is done, it suffices to check 
that this candidate is also a preimage for the other function. The new attack 
presented in this section deals with a different case, where the entropy of the 
message space is much larger. It shows that even then the cascaded hash is no 
more secure than F itself. 

Assume again that F outputs an n/-bit hash value and G an n^-bit value. 
Then, with respect to preimage resistance, the security level of F is 2”-f and the 
level of G is 2"^'. Indeed, the best known generic algorithm to break preimage 
resistance is to try random messages until the expected hash value is reached. 
This amounts to exhaustive search on the set of possible hash values. If F\\G 
was a good hash function, the complexity of this exhaustive search attack would 
be 2 As with collision resistance, there exists a much better attack which 

find a preimage on F\\G with complexity of the order of Ug2'^G^ -g 2”^ + 2”9 if 
nf <Ug (respectively n/2"9/^ + 2”9 + 2”-f if n/ > Ug). Assuming than n/ < Ug, 
the attack works as follows. 

First, using the multicollision algorithm of section 3 with t equal to Ug, 
construct a 2‘-collision on F. This costs t calls to the basic birthday paradox 
attack on the compression function of /, i.e. about operations. Then, 

search for an additional block that maps the last chaining value to the target 
value of F. Note that when looking for this additional block, we need to compute 
the output of the complete F function, including the padding of the message. 
However, this is a simple matter. After, this last step, we obtain 2* different 
messages with the expected hash value on the F side. Since t = Ug, we expect 
that, with constant probability, at least one of these 2* messages also match the 
expected t-bit value on the G side. Once again, the probability of success can 
be improved by adding a few more steps to the attack. Note that this attack 
on preimage resistance does not either require for G to be an iterative hash 
function. As before, it also works when G is replaced by a random oracle. 

Clearly, the above attack finds a preimage for the target value which is essen- 
tially random. As a consequence, it can be applied directly without any change 
when a second preimage is requested. 

4.3 Extensions and Open Problems 

Given these attacks, it is natural to ask whether they generalizes to three or more 
concatenated hash values. In this section, we focus on the possibility of generaliz- 
ing the collision search attack. We show that it does and that the generalization 
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is almost straightforward. Indeed, assume that H is a, third hash function on nn 
bits, then using the above attack on F\\G a couple of times, say t ~ nnl^ times, 
it is possible as in section 3 to build a 2*-collision on i^||G. Among these 2* mes- 
sages, we expect a collision of H. All in all, this yields a simultaneous collision 
on F, G and H. When Uf = Ug = nu = n, the expression of the complexity 
simplifies and is of the order of • 2”/^. More generally, a simultaneous colli- 
sion on q different n-bit iterative hash functions can be found with complexity 
^9-1 . 2”/^. Thus, the security of such a construction stays within a polynomial 
factor of the security of a single good iterative hash function of the same size. 
Similarly, variants of the attack on preimage resistance can be adapted to the 
case of q different hash functions. However, since they are more complicated, we 
do not present them here. One possible variant is described in appendix. 

Another generalization of the above attack is also worth noting. In [14], 
B . Schneier described a different way of building a long hash from a hash function 
F. In this method, F{M) is concatenated with G{F{M)\\M) (or G(M||F(M))). 
At first view, this is more complicated than the F\\G construction. However, the 
very same attack can be applied. Indeed, when a 20collision is found on F{M), 
this fixes F{M) in the first half of the big hash and also the copy of F{M) 
in the call to G, thus a collision on the G part is expected exactly as before. 
The preimage attack also works as before. We leave open the problem of finding 
a related construction making q calls to n-bit hash function and with security 
higher than n^“^ • 2”/^, with respect to collision resistance. 

One can also study a related question, how does the security of the concate- 
nated hash FjjG behaves, when F and G have non-generic attacks better than 
the birthday paradox collision search ? In that case, can T’jjG be significantly 
more secure than the best of F and G ? 

For the sake of simplicity, assume once again that Uf = Ug = n. Then, if F has 
a collision finding algorithm G as in section 3 with complexity jn or better 
and G has no shortcut attack better than the birthday paradox, the security of 
FjjG is essentially the same as the security of G itself. On the other hand, if 
G also admits a shortcut attack (as in section 3), it is unclear whether the two 
shortcut attacks may be used together to improve the composed attack against 
FjjG. Yet, some other type of attacks against G can be integrated into a better 
composed attack on FjjG. To give an example, let g denote the compression 
function of G. Assume that there exists a shortcut attack which given a large 
set gi, . . . , gN of chaining values finds a message block B and two indices i and 
j such that g{gi,B) = g{gj,B) in time N. Clearly, such a merging attack could 
be used to turn an Wcollision on F into a full collision on F’jjG. Thus, it is safer 
to assume that F\\G is essentially as secure as the best of F and G, no more. 

5 Potential Applications 

While the ideas of cascaded construction and multicollisions are frequently en- 
countered in the cryptographic folklore, they are somewhat avoided in published 
papers. As a consequence, we were not able to find a single research paper that 
can be cryptanalyzed using the attacks presented here. In this section, we de- 
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scribe some published construction which were likely candidates and explain why 
the attacks failed. 

Cascaded hash functions. Among the frequently encountered hash function, 
RIPEMD is the most suited to the cascaded construction. Indeed, the basic 
algorithm already consists of two separate hash computations which are put to- 
gether at the end of the round function. Thus, using the result of the two chains 
to form a longer hash would be both natural and efficient. In fact, the authors 
of RIPEMD propose in [4] optional extensions to 256 and 320 bits by using this 
idea. These extensions are not fully specified, but a sketch is given. In this sketch, 
the authors of RIPEMD recommend to add to the basic cascade some interaction 
between the two parallel compression functions. More precisely, they propose to 
swap one register from the first chain and its counterpart in the second chain 
after each round of the compression function (5 rounds in RIPEMD-160 and 
4 rounds in RIPEMD-128). This interaction was introduced as an additional 
security measure and, with respect to our attack, this countermeasure is very 
efficient and completely voids it. 

Use of multicollisions. Among the published constructions that make use of 
multicollisions, one can cite the micropayment scheme Micromint [11], the iden- 
tification scheme of Girault and Stern [5] and the signature scheme of Brickell 
and al. [1]. In these three applications, multicollisions are indeed used, how- 
ever, in the proposed instances of the schemes, no iterated hash functions with 
a small internal memory is used. Instead, one encounters either a block cipher 
based compression function with a small block size but without iteration or a 
truncation of an iterated hash function with a relatively large output size. In 
both cases, our attack is unapplicable. In the first case, the required iteration is 
not available, in the second, the attack needs collisions on the full internal states 
of the hash function, rather than on the truncated states. 

6 Conclusion 

In this paper, we have shown that multicollisions in iterated hash functions are 
not really harder to find than ordinary collision. This yields the first effective 
attack against a natural construction that extend the size of hash values by 
concatenating several independent results. While considered suspect by some, 
especially when used with related hash functions, this construction had never 
been attacked before. The cryptanalysis we presented here yields attacks against 
collision resistance, preimage resistance and second preimage resistance. As a 
consequence, it leaves open the problem of constructing secure hash functions 
with variable-output length, which is a important primitive to instantiate some 
cryptographic paradigm such as the full domain hash. 

Another important theoretical result is the fact that iterated hash functions 
cannot be used as entropy-smoothing functions on arbitrary sets of inputs. De- 
vising good cryptographic entropy-smoothing functions would be a nice topic for 
future research. 
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A Preimage Resistance 

with Many Hash Functions Cascaded 

While the attack against collision resistance described in section 4.1 is easily 
generalized to q hash functions and yields an attack with complexity • 2”/^, 
assuming that each function outputs n bits, this is not the case for the attack 
on preimage resistance. Indeed, the attack we described in section 4.2 is not 
straightforward to generalize. The goal of this section is to present a variant 
of the attack that can be easily generalized. The drawback is that this variant 
is slightly more complicated than the initial attack. In this variant, each hash 




316 Antoine Joux 



function is attacked in two steps. Each of these steps is constructed in a way 
that ensures compatibility with the previous hash functions. The first step within 
each hash function is to find two different sequences of blocks that, through the 
iterated hash process, sends the initial value back to itself. The cost of this 
amounts to twice exhaustive search on the set of possible chaining values. The 
second step is to find a terminating sequence of blocks that sends this chaining 
value to the target value for the current hash function. This costs about one 
exhaustive search on the same set. 

When processing the first message, we look for single block sequences. More- 
over, the terminating block should be correctly padded. A slight technical prob- 
lem is that padding requires a priori knowledge of the final message size. How- 
ever, we show at the end of this section that this size can be fixed in advance 
before launching the attack. Let T denotes this size, then we consider as inputs 
to the first hash functions the 2^”^ messages formed of T — 1 blocks, each chosen 
among the two basic blocks that send the initial value to itself and one final 
block which sends to the target value hp. A representation of these messages 
is given in figure reffig:preim 



B B B B 

ho ho ho ho ho 

B' B' B' B' 



B 

ho ho • ^ hp 

B' 



Fig. 2. First step of the preimage attack 



With the second hash function, the looping sequences are constructed by 
concatenating n blocks chosen among the two {B and B') that makes the first 
hash function loop (a few more blocks can be added to increase the probability 
of finding good sequences). Clearly, when applying one of these sequences both 
the first and the second hash functions are going back to their initial values. The 
final sequence is constructed by concatenating many copies of the looping blocks 
B or B' and a single instance of the final block, in order to send the second hash 
function to its expected destination. Clearly, such a sequence also sends the first 
hash function to its target value. The advantage of this attack compared to that 
of section 4.2 is that additional hash functions can be processed by iterating 
the previous procedure. A notable exception is the computation of the last hash 
function which requires no looping part and can thus be simplified. The total 
runtime is clearly bounded by a polynomial (0(n^)) times the cost of exhaustive 
search. The length T of the message can be easily predetermined and is of the 
order of 
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Abstract. We propose the first distributed discrete-log key generation 
(DLKG) protocol from scratch which is adaptively-secure in the non- 
erasure model, and at the same time completely avoids the use of in- 
teractive zero-knowledge proofs. As a consequence, the protocol can be 
proven secure in a universally-composable (UC) like framework which 
prohibits rewinding. We prove the security in what we call the single- 
inconsistent-player UC model, which guarantees arbitrary composition 
as long as all protocols are executed by the same players. As an applica- 
tion, we propose a fully UC threshold Schnorr signature scheme. 

Our results are based on a new adaptively-secure Feldman VSS scheme. 
Although adaptive security was already addressed by Feldman in the 
original paper, the scheme requires secure communication, secure era- 
sure, and either a linear number of rounds or digital signatures to re- 
solve disputes. Our scheme overcomes all of these shortcomings, but on 
the other hand requires some restriction on the corruption behavior of 
the adversary, which however disappears in some applications including 
our new DLKG protocol. 

We also propose several new adaptively-secure protocols, which may find 
other applications, like a sender non-committing encryption scheme, a 
distributed trapdoor-key generation protocol for Pedersen’s commitment 
scheme, or distributed-verifier proofs for proving relations among com- 
mitments or even any NP relations in general. 



1 Introduction 

A distributed key generation protocol is an essential component in threshold 
cryptography. It allows a set of n players to jointly generate a key pair, {pk, sk), 
that follows the distribution defined by the target cryptosystem, without the 
need for a trusted party. While the public- key pk is output in clear, the corre- 
sponding secret-key sk remains hidden and is maintained in a shared manner 

* Research was carried out while at the Centre for Advanced Computing - Algorithms 
and Cryptography, Department of Computing, Macquarie University, Australia. 

M. Franklin (Ed.): CRYPTO 2004, LNCS 3152, pp. 317-334, 2004. 
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among the players via a secret sharing scheme. This should allow the play- 
ers to later use sk without explicitly having to reconstruct it. The distributed 
key- generation for discrete-log based schemes, DLKG in short, amounts to the 
joint generation of a random group element y as public-key and a sharing of its 
discrete- log (DL) x = logg{y) as secret-key with regard to some given base g. A 
DLKG protocol must remain secure in the presence of a malicious adversary who 
may corrupt up to a minority of the players and make them behave in an arbi- 
trary way. Informally, it is required that, for any adversary, y must be uniformly 
distributed, and the adversary must learn nothing about x beyond y = g^. 

DLKG was first addressed by Pedersen in [14] . Gennaro et al. pointed out that 
Pedersen’s scheme is not secure against a rushing adversary (and even against a 
non-rushing adversary) and proposed a new (statically) secure scheme [12]. Then 
Frankel et al. and Ganetti et al. introduced in [11] respectively [7] adaptively 
secure schemes in the erasure model, and Jarecki and Lysyanskaya improved the 
schemes to work in the non-erasure model and to remain secure under concurrent 
composition [13]. 

These DLKG protocols which are secure against an adaptive adversary rely 
heavily on the use of interactive zero-knowledge proofs. This poses the question 
whether this is an inherent phenomenon for adaptively secure DLKG. We an- 
swer this question in the negative. Goncretely, we propose an adaptively-secure 
distributed key-generation protocol from scratch which completely avoids the 
use of interactive zero-knowledge proofs. As a consequence, the protocol can be 
and is proven secure in a relaxed version of Ganetti’s universally-composable 
(UG) framework [4], which prohibits rewinding. We show the usefulness of our 
distributed key-generation protocol by showing how it gives rise to a (fully) UG 
threshold Schnorr signature scheme. To the best of our knowledge, this is the 
first threshold scheme proven secure in the UG framework. 

The relaxed UG framework, which we call the single-inconsistent-player (SIP) 
UG framework, coincides with the original UG framework, except that the sim- 
ulator is allowed to fail in case the adversary corrupts some designated player 
Pj* , which is chosen at random from the set of all players and announced to (and 
only to) the simulator. This relaxation still allows for a powerful composition 
theorem in that protocols may be arbitrary composed, as long as all subsidiary 
protocols involve the same set of players. 

We stress once more that this relaxation only applies to the proposed dis- 
tributed key-generation protocol but not to its application for the threshold 
Schnorr signature scheme. 

Our DLKG protocol (and thus the threshold Schnorr signature scheme) is 
based on a new adaptively-secure version of Feldman’s famous (statically se- 
cure) VSS scheme. Although adaptive security was already addressed by Feld- 
man in the original paper [10], and besides the well known standard Feldman 
VSS scheme he also proposed an adaptively-secure version, the proposed scheme 
has several shortcomings: (1) it requires the players to be able to reliably erase 
data, (2) it either proceeds over a linear number of rounds or otherwise needs to 
incorporate signatures as we will point, and (3) it requires secure communica- 
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tion channels (or expensive non-committing encryption schemes) . We propose a 
new variant of Feldman’s VSS scheme which overcomes all of these limitations. 
Even though the proposed scheme is not fully adaptively secure but requires 
some restriction on the corruption behavior of the adversary, this restriction is 
acceptable in that it disappears in the above applications to threshold cryptog- 
raphy. 

Furthermore, as building blocks for the above schemes or as related construc- 
tions, we also propose a sender non-committing encryption scheme, a new adap- 
tively secure distributed trapdoor- key generation protocol for Pedersen’s com- 
mitment scheme, as well as adaptively secure distributed- verifier zero-knowledge 
proofs, which all may very well find other applications. Finally, in the full ver- 
sion of this paper [3], we propose several additional applications and/or related 
adaptively-secure constructions of independent interest: a simple modification 
of Feldman’s adaptively-secure VSS scheme which overcomes (1) and (2) above, 
though not (3), but is fully adaptively-secure, an adaptively secure version of 
Pedersen’s VSS scheme as a committed VSS, a threshold version of the DSS 
signature scheme in the UC model, a threshold version of the Cramer-Shoup 
cryptosystem in the SIP UC model, and a common-reference-string generator 
with applications to zero-knowledge proofs in the UC model. 

The paper is organized as follows. Section 2 reviews the model we are con- 
sidering. It includes a short introduction to the UC framework of Canetti and 
the new SIP UC framework. In Sect. 3 we recall Feldman’s statically and adap- 
tively secure VSS schemes, and we point out an obstacle in the dispute resolu- 
tion phase of the adaptive scheme, before we construct our version in Sect. 4. 
Finally, Sect. 5 shows the applications to adaptively-secure DLKG, universally- 
composable threshold cryptography and distributed- verifier proofs. 

Due to space limitations, many definitions and proofs could only be sketched 
in this proceedings version of the paper; the formal treatment can be found in 
the full version [3]. 



2 Preliminaries 

2.1 Communication and Adversary 

We consider a synchronized authenticated-link model where a message from Ps 
to Pr is delivered within a constant delay and accepted by Pr if and only if it is 
sent from Pg to Pr- Moreover, we assume a broadcast channel with which every 
player sends a message authentically and all players receives the same message. 

We consider a central adversary A which may corrupt players at will. Cor- 
rupting a player Pi allows A to read Pfs internal state and to act on Pfs behalf 
from that point on. In the non-erasure model, A additionally gains Pfs com- 
plete history. A is called t-limited if it corrupts at most t players. Furthermore, 
A is called static if it corrupts the players before the protocol starts, and A is 
called adaptive if it corrupts the players during the execution of the protocol, 
depending on what it has seen so far. 
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2.2 Canetti’s Universally Composable Framework 

In order to formally specify and prove the security of our protocols, we will use 
the universally composable (UC) framework of Canetti [4]. We briefly sketch 
this framework here; for a more elaborate description we refer to the full ver- 
sion of the paper [3] or to the literature. The UC framework allows to define and 
prove secure cryptographic protocols as stand-alone protocols, while at the same 
time guaranteeing security in any application by means of a general composition 
theorem. In order to define a protocol tt secure, it is compared with an ideal func- 
tionality T . Such a functionality can be thought of as a trusted party with whom 
every player can communicate privately and which honestly executes a number 
of specified commands. The UC security definition essentially requires that for 
every (real-life) adversary A attacking the protocol tt, there exists an ideal-life 
adversary 5, also called simulator, which gets to attack the ideal-life scenario 
where only the players and T are present, such that S achieves “the same” as A 
could have achieved by an attack on the real protocol. In the framework, this is 
formalized by considering an environment Z which provides inputs to and col- 
lects outputs from the honest players and communicates in the real-life execution 
with A and in the ideal-life execution with S. It is required that it cannot tell 
the difference between the real-life and the ideal-life executions, meaning that 
its respective outputs in the two cases are computationally indistinguishable. 

As mentioned above, the UC framework provides a very general composition 
theorem: For any protocol p that securely realizes functionality Q in the so-called 
iF-hybrid model, meaning that it may use iF as a subroutine, composed protocol 
p”’ that replaces T with a secure protocol tt also securely realizes Q (in the 
real-life model). 

2.3 Single-Inconsistent-Player UC Framework 

The single-inconsistent-player (SIP) technique of [7] is often used to achieve 
both adaptive security and efficiency. A protocol in the SIP model is secure 
(i.e. securely simulatable in the classical model of computation) if the adversary 
does not corrupt a designated player which is chosen independently at random 
before the protocol starts. Using the terms of the UC framework, it means that 
the simulator S is given as input the identity of a randomly chosen player Pj * , 
and S is required to work well as long as Pj* is uncorrupt. In the case of t- 
limited adversary with t < n/2, this reduces S's success probability by a factor 
of 1/2. This still guarantees security in that whatever A can do in the real- 
life model, S has a good chance in achieving the same in the ideal-life model. 
Indeed, in the classical sense, a simulator is considered successful if it works 
better than with negligible probability. However, with such a simulator S, the 
composition theorem no longer works in its full generality. To minimize the 
effect of the SIP approach, we have to limit the set of players to be the same 
in all subsidiary protocols. This way, Pj* can be sampled once and for all, and 
the condition that Pj* remains uncorrupt applies to (and either holds or does 
not hold) simultaneously for all protocols. With this limitation, the composition 
theorem essentially works as before. See also the full version of the paper [3]. 
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2.4 Some Functionalities 

We briefly introduce some functionalities we use throughout the paper. For for- 
mal descriptions and more elaborate discussions, we refer to [3] . 

Secure- Message-Transmission Functionalities: The secure-message-transmission 
functionality, as defined in [4], is denoted by J^mt- On receiving {send, sid, Pr, m) 
from Pg, sends {sid, Pg,m) to Pr and {sid, Pg,Pr) to the (ideal- life) adversary 
S and halts. If the length of m may vary, it is also given to S. 

Due to some subtle technicalities, cannot be securely realized in a syn- 
chronized communication model against an active adversary. The reason is that 
in any (interactive) candidate realization ttsmt, the adversary A can corrupt the 
sender during the execution of the protocol and change the message m to be se- 
curely transmitted (or abort the protocol), while this cannot be achieved by S . 
Indeed, once Jsmt is invoked it is always completed with the initial input (and 
the output is delivered to the receiver). To overcome this problem, we introduce 
spooled SMT. This is captured by which first spools the sent message m 

and only delivers the spooled message m (or a possibly different m in case of a 
corrupt Pg) when receiving another (the actual) send command from Pg. This 
allows S to change m after J^smt has been launched simply by corrupting Pg 
after the spool- but before the send-command. 

J^smt can be realized over a public network using non-committing encryption 
as introduced by Canetti et al. in [6]. However, this is rather expensive as the best 
known schemes [9] still bear a ciphertext expansion 0{k). Instead, our results 
are based on efficient though not fully adaptively secure realizations. 

In our construction, we will also use an extended version of the .Tssmt function- 
ality which allows Pg, in case of a dispute, to convince the other players of the 
message m sent to Pr- This is specified by J^smtwo, spooled SMT with opening, 
which works as J^smt except that it additionally allows an open-command sent 
from Pg (and only from Pg), upon which it announces the transmitted message 
m to all players. 

Committed- VSS Functionalities: An advantage of using Feldman and Pedersen 
VSS in protocol design is that besides producing a (correct) sharing, they also 
commit the dealer to the shared secret. Often, this commitment can be and 
is used in upper-level protocols. However, in the definition of UC-secure VSS 
given in [4], such a commitment is hidden in the protocol and not part of the 
functionality, and thus not available for external protocols. We introduce the 
notion of committed VSS to overcome this inconvenience. 

Let corr\K ■ Sk x Rk Yk be a (efficiently computable) commitment func- 
tion, indexed by a commitment key K. Typically, K is sampled by a poly-time 
generator (on input the security parameter). A commitment for a secret s G Sk 
is computed as y = cortiif (s;r), where we use the semicolon to express that 
the second argument, r, is chosen randomly (from Rk) unless it is explicitly 
given. 

A committed VSS (with respect to commitment scheme comx) is specified 
by functionality which sends {shared, sid, Pd, comK{s;r)) to all players 
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and S on receiving (share, sid, (s,r)) from Pd, the dealer, and later, on receiving 
(open, sid) from t+1 distinct players, it sends {opened, sid, s) to all players and S. 

Due to the same technical problem as above, if the dealer may be adaptively 
corrupted, we need to incorporate spooling into the committed VSS function- 
ality: first spools (s,r) (and gives corriif (s;r) to S) before awaiting and 

executing the actual share-command (for the original or a new s) . 

We would like to mention that for certain candidate protocols ttvss for com- 
mitted VSS (with spooling), whose security relies on the commitment scheme 
comK, the generation of the key K needs to be added to the VSS functionality 
in order to be able to prove ttvss secure in the UC framework. This is for instance 
the case for Pedersen’s VSS scheme as discussed in [3]. 

2.5 The Discrete-Log Setting 

Let «: be a security parameter and g be a prime of size k. Let Gq denote a group 
of order q, and let g be its generator. We use multiplicative notation for the 
group operation of Gq. Some of our constructions require Gq to be the order-g 
multiplicative subgroup of Z* with prime p = 2g -|- 1. Unless otherwise noted, 
all arithmetics are done in Zg or Gq and should in each case be clear from the 
context. 

Throughout, we assume that such {Gq,q,g) is given to all players, and that 
the Decision Diffie-Hellman problem for (Gq,q,g) is intractable, meaning that 
the respective uniform distributions over DH = {{g°' , g^ , g~^) € Gq^ \ a • /? = 7 } 
and RND = Gq^ are computationally indistinguishable. This assumption im- 
plies the discrete- log assumption for {Gq,q,g): given a random h = it is 
computationally infeasible to compute uj. 



3 The Original Feldman VSS 

The Basic Scheme: Let ai, . . . , o;„ G Zg be distinct and non-zero. In order to 
share a (random) secret s G Zq, the dealer selects a Shamir sharing polynomial 
f{X) = s -I- aiX -I- • • • -I- atX^ G Zq[X] and sends Sj = f{aj) privately to Pj. 
Additionally, he broadcasts Go = g® as well as Gk = 5 “*^ for k = 1,. . . ,t. Each 
player Pj now verifies whether 




fe =0 



( 1 ) 



If it does not hold for some j, then player Pj broadcasts an accusation against 
the dealer, who has to respond by broadcasting Sj such that (1) holds. If he 
fails, then the execution is rejected, while otherwise Pj uses the new Sj as his 
share. Correct reconstruction is achieved simply by filtering out shares that do 
not satisfy ( 1 ). 

This scheme is proved secure against a static adversary: Assume that A 
corrupts Pj^,. . . ,Pj^. Given Co = 5 ®, the simulator S simply chooses random 
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shares Sj^ G Zq (i = 1 . . . t) for the corrupted players, and it computes C\, . . . ,Ct 
with the right distribution from g'^ and , • ■ • , ’s by applying appropriate 
Lagrange interpolation coefficients “in the exponent” . Informally, this shows that 
A learns nothing about s beyond g'^ . 

This simulation-based proof though fails completely if the adversary may 
corrupt players adaptively, i.e., during or even after the execution of the protocol. 
The problem is that given Co = g^, S needs to come up with Ci,. . . ,Ct such 
that if A corrupts some player Pj at some later point, S can serve A with Sj 
such that (1) is satisfied. However, it is not known how to successfully provide 
such Sj for any dynamic choice of j without knowing s, unless A corrupts the 
dealer to start with. 

Adaptive Security with Erasure: Feldman addressed adaptive security by pro- 
viding a set-up phase where the dealer assigns a private X-coordinate Uj G 
{!,..., n} to every Pj. Additionally, he needs to convince the players of the 
uniqueness of their aj . This is done in the following way. Let if be a semantically- 
secure public-key encryption function, with public-key chosen by the dealer. 

1. The dealer computes an encryption Aj = E(j;rj) (with random Vj) for 
every j G {!,..., n}, and he chooses oi, . . . , o;„ as a random permutation 
of 1, . . . , n. Then, he broadcasts Ai, . . . , A„ ordered in such a way that Aj 
appears in a^-th position, and he privately sends {aj , Vj ) to Pj . 

2. Each Pj locates Aj in position aj and verifies whether Aj = E{j; Vj) and, if 
it holds, erases Vj. The dealer erases ri, . . . , r„, too. 

After the erasure is completed, the dealer performs the basic Feldman VSS with 
X-coordinates oi, . . . , o;„. We stress that it is important that the erasures of the 
Vj’s must be done before entering to the sharing phase. On reconstruction, each 
player broadcasts {aj,Sj). 

Since each Aj can be opened only to j, player Pj is convinced of the unique- 
ness of aj. Simulation against an adaptive adversary is argued separately for 
each phase. If a player gets corrupted in the set-up phase, the simulator S just 
honestly gives the internal state of the corrupt player to the adversary. Nothing 
needs to be simulated. Then, the sharing phase is simulated similar as for the 
static adversary, except that, since S does not know which players will be cor- 
rupted, it predetermines shares for a random subset of size t of the X-coordinates 
{1, . . . ,n}, and whenever a player Pj gets corrupted one of these prepared X- 
coordinates is assigned to Pj as his aj. Since Vj has already been erased, it is 
computationally infeasible to determine whether Ai in position aj is an encryp- 
tion of j or not. 

An Obstacle in Dispute Resolution: We identify a problem in the dispute reso- 
lution of the above scheme^. Suppose that honest Pj accuses the dealer, and that 

^ No dispute resolution procedure is shown in [10]. It is said that a player simply 
rejects the dealer when he receives an incorrect share (and the dealer is disqualified 
if more than t + 1 players rejects). But this works only if t < n/3. 
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instead of publishing correct {aj, Sj), the corrupt dealer responds by publishing 
(ai,Si) of another honest player Pi. Since Vj and Vi have been already erased, 
both Pj and Pi have no way to prove that the published ai is different from the 
original assignment. 

To efficiently settle such a dispute, digital signature scheme will be needed. 
That is, the dealer sends aj with his signature in the set-up phase. This allows 
Pj to publish the signature when he accuses the dealer in the sharing phase. 
Without using digital signatures, 0{t) additional rounds are needed to settle the 
dispute: If Pi observes that his (oj, Si) is published to respond to the accusation 
from Pi, Pi also accuses the dealer and the dealer publishes the data for Pi this 
time. After repeating this accuse-then-publish process at most t + 1 times, the 
dealer either gets stuck or exposes t -I- 1 correct shares. 

4 Adaptive Security Without Overheads and Erasures 

The goal of this section is an adaptively secure Feldman VSS that provides (1) 
security without the need for reliably erasing data, (2) efficient dispute resolution 
without digital signatures, and (3) efficient realization over a public network, i.e. 
without secure channels (or expensive non-committing encryptions). 

The first two goals are achieved by a simple modification of the original Feld- 
man VSS. The idea is to replace the encryption function E with instantiations 
of a trapdoor commitment scheme with certain properties whose commitment 
keys are provided separately from each player so that the trapdoors are not 
known to the dealer. We show this modified Feldman VSS and the security 
proof in [3] . Since Pedersen’s commitment scheme turns out to be good enough 
for this purpose, we have a scheme that meets (1) and (2) solely under the DL 
assumption. Furthermore, the modified scheme is more efficient in the number 
of communication rounds over the original adaptively-secure Feldman VSS. 

Hence, what the secure-channels model is concerned, we are done. Unfortu- 
nately, we do not know how to efficiently implement the above scheme efficiently 
over a public network, even when limiting the power of the adversary as we do in 
Sect. 4.2 below. Therefore, we design a new scheme which allows to seamlessly 
install our efficient components for public communication presented later. 

4.1 Construction in a Hybrid Model 

Our approach is to let each player Pj select a random non-zero X-coordinate 
Uj G Zg and send it privately to the dealer. When corrupted, a simulated player 
reveals a (fake) X-coordinate that has been prepared in advance to be consistent 
with the transcript, as in Feldman’s approach. On the other hand, in case of a 
dispute, each player Pj should be able to convince the other players of his aj. This 
is achieved by initially sending aj to the dealer using secure message transmission 
with opening, as specified in Sect. 2.4 by functionality J^smtwo- The scheme is 
detailed in Fig. 1 in the (I^smtwoj l^sMT)-hybrid model. 

Consider Feldman’s commitment scheme fcorrig with base g: a commitment 
for a secret s G is computed as fcomg(s; r) = fcorrig(s) = g^ (without using r). 
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[Sharing Phase] 

F-1. Each Pj selects aj <— Z* and sends aj to the dealer via I^ssmtwo- The dealer 
replaces any aj that happens to be 0 by = 1. 

F-2. The dealer selects f{X) = ao + aiX + • • • + atX* <— Zq[X] where ao = s and 
computes Ck = for k — 0, ... ,t and broadcasts (Co, . . . ,Ct). For every 
Pi he sends Si = /(oi) by using 

F-3. Each Pj verifies = rTfc=o broadcasts verified if it holds. Otherwise, 

Pj broadcasts accuse dealer. For every accusation, the following sub-protocol 
is executed in parallel. 

(a) Pj sends {open,sid) to I^ssmtwo and every player receives aj. If aj — 0, 
then it is replaced by aj — 1. 

(b) The dealer broadcasts corresponding sj. 

(c) If {aj,Sj) satisfies the verification predicate, then Pj accepts (aj,Sj) as 
his share, otherwise the players output a default sharing of s = 0. (Note 
that the players have agreement on the published values aj and Sj). 

[Reconstruction Phase] 

Each Pj broadcasts {oj, Sj), identifies Q C n}, | Q| > t -|- 1, so that (oi, Si) 

satisfies the verification predicate for all i £ Q, reconstructs secret s by Lagrange 
interpolation with regard to Q, and then outputs s. 

Fig. 1. Adaptively secure Feldman-VSS ttxfvss in (I^ssmtwo, .?ssMT)-hybrid model. 



Proposition 1. Protocol ttxpvss shown in Fig. 1 securely realizes HFsvss ^ the 
(i^sMTwo, Jisur) -hybrid model against t-limited adaptive adversary for t < n/2. 

The proof is given in [3]. Essentially, it uses the same idea as Feldman’s version: 
the simulator prepares (random) shares si, . . . , St for t X-coordinates di, . . . , dt 
and assigns to every newly corrupt player Pj one of these X-coordinates as aj 
and the corresponding share as Sj. 

4.2 Efficient Composition to the Real-Life Protocol 

This section provides protocols that realize J^smt and J^smtwo over the public 
network with broadcast, i.e., without secure channels. Then, by applying the 
composition theorem, one can have adaptively secure Feldman VSS as a real-life 
protocol. As we shall see, these realizations are efficient but have some limitation 
on the adversary, which though can be successfully overcome in our applications. 

Our constructions require an efficient bidirectional mapping between Zg and 
Gq while the DDH problem should be hard to solve. This is the case when Gg is 
the order-g multiplicative subgroup of Z* with prime p = 2g-|-l. Indeed, encoding 
Zg Gg can be done by m i-^- M = mod p, where to G is identified with 
its representant in {1, . . . , g}. This encoder is denoted by M = Encode(m) and 
the corresponding decoder by to = Decode{M). 

Receiver Non- committing Message Transmission: By ttrno we denote a proto- 
col that realizes fFswr (or J^smt) with receiver non-committing feature. That is, 





326 



Masayuki Abe and Serge Fehr 



remains secure even if the receiver is adaptively corrupted (in the non-erasure 
model), while the sender may only be statically corrupted. Note that with such a 
restriction on the sender, can be realized (without spooling) . We review the 
construction by [13] (adapted to accept messages m G Z^), which is originally 
designed in a classical model but can fit to the UC model. A proof is given in 
the full version of the paper [3] . 



A-0. (Initial step) Sender Ps chooses h ^ Gq and sends it to receiver Pr- 
A-1. Pr selects 21 , 2:2 <— Zq, computes y = and sends y to Pa. 

A-2. Pa computes u = g’" , v — and c = Encode{m) y^ , where r ^ hq, and 
sends (it, i>, c) to Pr 

A-3. Pr computes m = Decode{cu~^^v~^'^). 



Fig. 2. Protocol ttrnc for receiver non-committing transmission. 



Lemma 1. Under the DDH assumption, protocol ttrnc securely realizes 
( or J^sMT ) against an adaptive adversary if the sender is only statically corrupt 
and S is aware of w with Encode{m) = . 

The assumption that the ideal-life adversary S is aware of the DL of Encode{m) 
seems quite restrictive for ttr^c to be a general stand-alone tool. It is however 
acceptable for our purpose as m will be chosen by S in an upper-level protocol 
(playing the role of the to-be-corrupted sender) such that it knows the DL of 
Encode{m). We stress that this assumption does not mean at all that S is given 
any kind of power to solve the DL problem. 

Sender Non- committing Message Transmission with Opening: A protocol ttsnc 
that realizes J^smt with sender non-committing feature follows easily from ttrnc- 
The receiver Pr simply uses ttrnc to securely send a randomly chosen k G Gq 
to the sender Pg (precisely, Pr sends the message Decode{k) G Z^), and then 
Pg sends e = kEncode{m) to Pr, who computes to as to = Decode{ek~^). 
We also consider the following variant of TTguc, which we denote by TTgucwo- All 
communication is done over the broadcast channel, and in an additional phase, 
the opening phase, the sender Pg publishes zi and 22 , privately sampled for 
the secure transmission of to, and every player verifies whether g^^h^^ = y and 
computes k = and m = Decode{ek~^). 

Lemma 2. Under the DDH assumption, protocol tTsnc securely realizes J^smt and 
7tjNCwo securely realizes Jssmtwo against an adaptive adversary if the receiver is 
only statically corrupt and S is aware of w with Encode{m) = g^ . 

The proof of Lemma 2 is similar to that of Lemma 1, although slightly more 
involved. For completeness, it is included in [3]. 

Composition with the Efficient Realizations: We now show that when the func- 
tionalities .TigMTwo and J^sMT in the hybrid-protocol ttxfvss are implemented by 
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ttsncwo and ttrnc, respectively, then the composed protocol securely realizes J\ss * 
(or ) in some weakened sense as stated below. 

Theorem 1. Implementing the functionality Jssmtwo in step F-1 of the hybrid- 
protocol ttxfvss from Fi^. 1. by ttsn^wo and Jiswi in step F-2 by ttrnc results in a 
secure realization of Jvss ^ (or J^vss ’’) in the real-life model, assumed that (1) 
the adversary corrupts the dealer only statically, and (2) the adversary corrupts 
players only before the reconstruction phase. 

Proof. The claim follows essentially from Proposition 1, Lemma 1 and 2, and 
the composition theorem. It remains to show that the assumptions for Lemma 1 
and 2 are satisfied. By assumption (1) it is guaranteed that the receiver in ttsnc 
and the sender in ttrnc (which in both cases is the dealer) is only statically cor- 
rupt. Furthermore, by (2) and the way S works in the proof of Proposition 1, the 
messages, which are supposedly send through J^smtwo and J^smt and for which S 
has to convince A as being the messages sent through 17 §smtwo respectively J^smt 
are the values cei, ... ,at and si, . . . , St, all chosen randomly from (respec- 
tively Z*) by S. Hence, S could sample them just as well by choosing w ^ Zq 
and computing Decode(g^) such that the conditions for Lemma 1 and 2 are 
indeed satisfied. Finally, as the dealer may only be statically corrupted, we do 
not need to care about spooling. Thus Jvss ^ and J^vss * are equivalent here. □ 

5 Applications to Threshold Cryptography 

In this section, we propose several applications of the adaptively-secure Feldman 
VSS scheme from the previous section. Our main applications are a DLKG proto- 
col and a UC threshold Schnorr signature scheme, though we also propose some 
related applications which might be of independent interest like a trapdoor-key 
generation protocol for Pedersen’s commitment scheme and distributed-verifier 
UC proofs of knowledge. Interestingly, even though our Feldman VSS scheme 
has restricted adaptive security, the applications remain fully adaptively secure 
in the (SIP) UC model and do not under ly restrictions as posed in Theorem 1. 

To simplify terminology, from now on when referring to protocol ttxfvssi we 
mean ttxfvss from Fig. 1 with Jssmtwo and J^smt replaced by ttsncwo and ttrnc as 
specified in Theorem 1. Furthermore, it will at some point be convenient to use 
a different basis, say h, rather than the public parameter g in the core part of 
Fxpvssj such that for instance h^ will be published as C. This will be denoted by 
ttxfvss [It] , and obviously securely realizes . We stress that this modification 

is not meant to affect the sub-protocols TTg^cwo and ttrnc- 



5.1 How to Generate the First Trapdoor Commitment-Key 

In many protocols, a trapdoor commitment-key is considered as given by some 
trusted party so that the trapdoor information is unknown to any player. If the 
trusted party is replaced with multi-party computation, as we usually do, the 
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protocol should be designed not to use any common trapdoor commitment-key. 
In this section, we show a protocol that meets this requirement. 

The players execute protocol tthgen in Fig. 3. We assume that it is triggered 
by a player Pi who sends in it to all players. The protocol outputs a (trapdoor) 
commitment-key h G Gq for Pedersen’s commitment scheme. Note that the 
corresponding trapdoor loggh = is not shared among the players (in 

the usual way). 



H-1. Every Pj chooses Xj ^nd sends {share, sid, Xj) to . Let Q be the 

set of players whose {shared, sid, Pj ,Yj) is published by f?vss Remember 
that Yj = fcom 9 (xj) = 

H-2. Every player outputs h = Hjee Fj- 

Fig. 3. Commitment-key generation protocol tthgen in "hybrid model. 



Unfortunately, one cannot expect h to be random as a rushing party can affect 
its distribution. However, the protocol inherits the following two properties which 
are sufficient for our purpose. (1) A simulator that simulates tthgen can compute 
the DL of h, and (2) given Y G Gq, a simulator can embed Y into h so that 
given logg h, the simulator can compute logg Y. The latter in particular implies 
that the adversary is not able to compute the trapdoor logg h. 

Our idea for formally capturing such a notion is that the ideal functionality 
challenges the adversary S by sending a random h! G Gq and allows S to ran- 
domize it so that h' is transformed into h such that S knows the trapdoor for h 
if and only if it knows it for h'. This clearly captures (1) and (2) above. 

Definition 1 (Commitment-Key Generation Functionality: ^gen)- 

1. On receiving {generate, sid) from Pi, choose h' ^ Gq and send (h' , Pi) to S. 

2. On receiving 7 G Zg from S, compute h = h'g^ and send {corn-key, sid, h) to 
all players and S. 

Proposition 2 . Protocol tThgen in Fig. 3 securely realizes .T^gen against t-limited 
adaptive adversary for t < n/2 in the Jvss ’’ -hybrid SIP UC model. 

The proof is given in the full version of the paper. Essentially, on receiving {h' , Pj) 
from PiiGEN, S simulates the SIP Pj*'s call to with input h' , and it sends 

7 = Xj to .^GEN- 

We claim that Jvss ‘‘ in tthgen can be securely realized by the protocol ttxfvss 
from Theorem 1. This may look contradictory since ttxfvss is secure only against 
static corruption of the dealer as stated in Theorem 1, while in tthgen every 
player acts as a dealer and may be adaptively corrupted. However, looking at 
the proof, except for the run launched by the SIP Pj* , S simulates all runs of 
Jvss ” honestly with true inputs. Hence, for these simulations, the situation is 
exactly as in the case where the dealer is statically corrupted and the secret is 
known to the simulator at the beginning. Furthermore, the reconstruction phase 
of Jvss “ is never invoked in tthgen- Thus, the following holds. 
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Theorem 2. Implementing Jvss * tthgen of Fig. 3 by ttxfvss results in a secure 
realization of J^gen against t-limited adaptive adversary for t < n/2 in the (real- 
life) SIP UC model. 



5.2 DL-Key Generation 

This section constructs an adaptively secure protocol for DLKG, whose function- 
ality is defined below. Clearly, from such a key-generation protocol (respectively 
functionality), one expects that it outputs a public-key y and in some hidden way 
produces the corresponding secret-key x (typically by having it shared among 
the players), such that x can be used to do some cryptographic task like signing 
or decrypting if enough of the players agree [16]. However, as we want to view 
our protocol as a generic building block for threshold schemes, we simply require 
that the secret-key x can be opened rather than be used for some specific task. 
In Sect. 5.3 we then show a concrete example threshold scheme based on our 
DLKG protocol. 

Definition 2 (Threshold DL Key Generation Functionality: i^buKc)- 

1. On receiving {generate, sid) from Pi, select x ^ Z^, compute y = g^ , and 
send {key, sid,y) to all players and S. 

2. On receiving {open, sid) from t -\- 1 players, send {private, sid, x) to all players 
and S. 

Our realization of J^leg is illustrated in Fig. 5 below, and makes use of (or- 
dinary) Pedersen’s VSS scheme given in Fig. 4. 



[Sharing Phase] 

P-1. The dealer selects f{X) = ao -I- aiX -I- • • • -I- atV* ^ ’^q[X] and f'{X) = 
ho + biX + • • • + htX^ ^ '^q[X\ where ao = s. Let r = bo. The dealer then 
computes and broadcasts C = Co = and Ck ~ for k = 1,. . . ,t, 

and he sends Si = f{i) and Vi = f'{i) to Pi using .Tssmt. 

■ .]f. 

P-2. Each Pi verifies whether = Ei where Ei = Y\k^o^k ■ Pi broadcasts 

verified if it holds and else initiates the accusation sub-protocol which is the 
same as that of Feldman VSS with obvious modification. 

[Reconstruction Phase] 

Every player Pi publicly opens Ei to Si. The secret s is reconstructed using La- 
grange interpolation from the correctly opened Si’s. 

Fig. 4. Pedersen’s VSS scheme: PedVSSg,h(s) ^ (si, . . . , Sn, r, G). 

We do not prove Pedersen’s VSS secure in the UG framework, and in fact it 
is not (as a committed VSS against an adaptive adversary). The only security 
requirement we need is covered by the following well-known fact. 
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Lemma 3. Except with negligible probability, after the sharing phase of Peder- 
sen’s VSS, both the Si ’s and ri ’s of the uncorrupt players are correct sharings of 
s and r such that g’^K’’ = C and such that s is reconstructed in the reconstruction 
phase (and s and r coincide with the dealer’s choice in case he remains honest), 
or otherwise log^ h can be efficiently extracted from the adversary. 

We write PedVSS^^(s) ^ (si, . . . , r, C) to denote an execution of the 
sharing phase of Pedersen’s VSS with secret s and player Pj acting as dealer, 
and with values si, . . . , s„, r, C generated as described in Fig. 4. 



[Key-Generation Phase] 

K-1. A player, Pi, sends {generate, sid) to J?hgen, and commitment-key h is ob- 
tained. 

K-2. Each player Pj chooses a random Xj € Zg and executes the sharing phase 
of Pedersen’s VSS with secret Xj and commitment-key k: PedVSS^ ^ 
(xji, . . . , Xjn, rj, Cj). If a player Pj refuses then a default Pedersen sharing 
of Xj = 0 is taken instead. 

K-3. Each Pj sends {share, sidj,Xj) to {share, sidfrj) to . 

K-4. If Pi receives {shared, sidj, Pj,C'j) and {shared, sid), Pj,Cj), he verifies that 
Cj = C'jC'j holds. (Note that C) = and C'f = h”C) If either of such 
messages has not been received or the relation does not hold, then Xj is 
reconstructed from its Pedersen sharing, and every Pi sets C) — . Output 

of this phase is the public-key y — 117=1 dpi while each Pj stores Xj as his 
(additive) secret-key share, to which he is committed by Cj. 

[Opening Phase] 

Every player Pj publicly opens Cj by broadcasting Xj and Vj . If a player Pj fails to 

do so, Xj is reconstructed from its Pedersen sharing. Secret-key x is then computed 

E n 
j=i 

Fig. 5. Threshold DLKG protocol ttdlkg in (J?hgen, .?Vss'^®.7vss""'‘i.^sMT)-hybrid model. 

Note that in ttdlkg the additive shares Xj are used to reconstruct the secret- 
key X, rather than the threshold-shares implicitly given by fj = The 

reason is that even though using the threshold shares can be proven secure in 
the hybrid-model, it resists a security proof when the ideal functionality J^smt 
in Pedersen’s VSS is replaced by ttruc as we do (due to the DL condition from 
Lemma 1). In [3] we show how to modify the scheme in order to be able to use 
the threshold-shares as secret-key shares. Also note that using the terminology 
introduced in [2] , based on the results in [1] , step K-3 can be seen as a distributed- 
verifier zero-knowledge proof of knowledge of Xj and rj such that g’^^ = C) and 
h’"^ = C” (see also Sect. 5.4). 

Theorem 3. Implementing in the DLKG protocol ttdlkg from Fig. 5 the func- 
tionalities JOgen, and iE)ss'^’' by '%GEN? '^RNC? '%FVSS [g] and TTxFvss[h], 

respectively, results in a secure realization of JbiKG against adaptive t-limited 
adversary for t < n/2 in the SIP UC model. 
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Using the UC with joint state framework [8], one can prove using similar 
arguments that the commitment-key h can be generated once and for all invoca- 
tions of ttdlkg- Furthermore, concerning efficiency, the communication complexity 
of the key-generation phase is comparable to that of the schemes by [13]: it re- 
quires 0{n^K) bits to be sent over the bilateral public channels and another 
O(n^K) bits to be broadcast. 

The full proof of Theorem 3 is given in the full version of the paper. We 
simply sketch its idea here. First, the simulator S simulates the generation of 
h such that it knows the DL of h, while step K-2 is executed as prescribed. 
Then, it reconstructs the Xj’s of the corrupt players, and it computes C'* and 
C", for the SIP Pj* such that C'. • Wj^j* 9^^ = V where y 

is the value provided by Pdlkg- Then it simulates the two Feldman VSSes with 
Pj* as dealer, while the other executions are followed as prescribed (with inputs 
Xj respectively rj). As a result, the output of the key-generation phase is y. 
In the opening phase, having received x = logg{y) from S simply adapts 

Pj* ’s initial Xj* such that = 2 :, and it uses the DL of h to open Cj* to 

(the new) Xj* . The only difference in the adversary’s and thus the environment’s 
view between the simulation and a real execution lies in the encrypted Pedersen 
shares of (the initial) Xj* given to the uncorrupt players. By the property of ttrnc, 
this cannot be distinguished by the environment. 

From now on, when referring to protocol ttdlkg) we mean ttdlkg from Fig. 5 
with the functionalities replaces by real-life protocols as specified in Theorem 3. 

5.3 Universally- Composable Threshold Schnorr-Signatures 

As an example application of our DL-key generation protocol, we propose a 
threshold variant of Schnorr’s signature scheme [15], provable secure in the UC 
framework. The scheme is illustrated in Fig. 6. Recall, a Schnorr signature for 
message m under public- key y = consists of (c, s) such that r = g^jy^^ satisfies 
H{m,r) = c, where iL is a cryptographic hash-function. Such a signature is 
computed by the signer (in the single-signer variant), who knows the secret- 
key X, by choosing k ^ Zg and computing r = g^ , c = H{m, r) and s = k + cx. 
Schnorr’s signature scheme can be proven secure, in the sense of existential 
unforgability against chosen message attacks, in the random oracle model. 

Consider the ideal threshold signature functionality J^Isig by adapting the 
(single-signer) signature functionality from [5] in the obvious way. 

Theorem 4. Protocol tttsig securely realizes Pisig against adaptive t-limited ad- 
versary for t < nj2 in the UC model, under the DDH assumption and under the 
assumption that the standard Schnorr signature scheme is secure. 

We stress that interestingly tttsig securely realizes J^Isig in the standard rather 
than the SIP UC model. 

Proof. (Sketch) The simulator S simply executes honestly tttsig. Note that the 
public-key y is not dictated by J^Isig) but rather Psig asks S to provide it. In 
order to prove that this is a good simulation, we argue as follows. The only 
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[Key-Generation Phase] 

The players execute the key-generation phase of ttdlkg, resulting in a public-key y, 

private (additive) secret-key shares xi, ■ ■ ■ ,x„ with corresponding commitments 

Gi, . . . , Cn, and commitment-key h. 

[Signing Phase] 

In order to sign a message m, the following steps are executed. 

S-1. The players once more invoke the key-generation phase of ttdlkg, but skipping 
the generation of h and taking h from the generation of y. Denote the out- 
put by r, the corresponding additive secret-key shares by fci, . . . , and the 
corresponding commitments by Ki , . . . , K„. 

S-2. Each player Pj computes c = H(m,r) and publicly opens KjCj to sj = 
kj -|- cxj . If a player Pj fails to do so, sj is reconstructed from its Pedersen 
sharing (which is implicitly given by the Pedersen sharings of Xj and kj). 
Signature (c, s) is completed by s = J2j ■ 



Fig. 6. Threshold Schnorr-signature scheme tttsig- 

way Z may see a difference is when A breaks the signature scheme, i.e., when 
a player provides at some point a valid signature on a message that has not 
been signed. However, if there exist 2 and A that can enforce such an event 
with non-negligible probability, then there exists a forger F that breaks the 
existential unforgability against chosen message attacks of the standard (single- 
signer) Schnorr signature scheme. F works as follows. F runs 2 and A, and 
it simulates the action of S, i.e. the execution of tttsig, as follows. It uses the 
SIP simulator for the key-generation phase of ttdlkg to force the output of the 
key-generation to be the given public-key y. Furthermore, to sign a message m, 
it asks the signing oracle for a signatures (c, s) on m, it forces as above the 
outcome of S-1 to be r = /y^^, and it uses a straightforward modification of 

the SIP simulator for the opening phase of tTdlkg to simulate the signing phase: 
the simulated Pj* opens Kj* Cj„ to s — ^j^j* Sj in step S-2 (rather than to 
kj* + cXj*), forcing the output of the signing phase to be the given signature 
(c, s). Additionally, whenever a message-signature pair {m,a) is asked to be 
verified, F first checks whether m was never signed before and if ct is a valid 
signature on m. Once such a pair (m, a) is found, F outputs that pair and halts. 
Similar to the proof of Theorem 3, one can show that if A does not corrupt the 
SIP then 2 cannot distinguish between the real execution of tTtsig (executed by 
the simulator 5) and the SIP simulation (executed by the forger F). Hence, by 
assumption on 2 and A, F outputs a signature on a message not signed by the 
signing oracle with non-negligible probability. □ 



5.4 Adaptively Secure Distributed- Verifier Proofs 

In designing threshold cryptography, it is quite common to prove some re- 
lation (or knowledge) about committed witnesses in zero-knowledge manner. 
In the UC framework, however, zero-knowledge proofs are extremely expen- 
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sive components: they are realized by combining a generic non-interactive zero- 
knowledge proof with a common-reference string generator, or UC-secure com- 
mitment scheme (which anyway needs common reference string) with generic 
zero-knowledge proof system for an NP-complete language such as Hamiltonian. 
They are generic and powerful, but cannot be directly used for practical subjects 
such as showing equality of discrete-logs or knowledge of a representation. 

Combining our results with techniques developed in [1,2], one can construct 
adaptively secure efficient distributed-verifier zero-knowledge proofs in univer- 
sally composable way for many practical subjects. We illustrate a concrete ex- 
ample. Suppose that a prover needs to show that a triple (g“, is in DH, 

i.e. satisfies a • /3 = 7 . This can be done as follows. A prover shares a twice: 
once using the sharing phase of 7Txpvss[ff] and once using that of TTxpvssiff^j with 
base . Furthermore, in the second execution, the same sharing polynomial and 
X-coordinates as in the first execution are used. Hence the second execution is 
completed only by broadcasting a new commitment of the sharing polynomial, 
which is verified by the players by using the same share and X-coordinate re- 
ceived in the first execution. This guarantees that indeed the same secret, a, 
has been shared. Note that (g^)“, supposed to be 5 '*', is published in the sec- 
ond execution. Finally, the prover shares f3 (or 7 ) using the sharing phase of 
7’xpvssb] with base g. If all sharing phases are accepted, the proof is accepted. 
Given {g°^ , g^ , g~^), S can simulate the prover by simulating the dealer in each 
execution of ttxfvss- In the case of corrupt prover who completes the proof, S 
can extract a and [3 from the set of uncorrupt players. Hence the simulator can 
extract a witness (a, /?) needed to invoke ideal zero-knowledge functionality. 

The techniques of [1,2] also apply to other commitment schemes that Feld- 
man’s, and allow to prove other relations as well like equality and additive and 
inverse relations among committed values. From these building blocks, one can 
even construct an adaptive distributed verifier proof for any NP relation by 
following the construction in [ 2 ]. 
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Abstract. We consider the central cryptographic task of secure two- 
party computation: two parties wish to compute some function of their 
private inputs (each receiving possibly different outputs) where security 
should hold with respect to arbitrarily-malicious behavior of either of the 
participants. Despite extensive research in this area, the exact round- 
complexity of this fundamental problem (i.e., the number of rounds re- 
quired to compute an arbitrary poly-time functionality) was not previ- 
ously known. 

Here, we establish the exact round complexity of secure two-party com- 
putation with respect to black-box proofs of security. We hrst show a 
lower bound establishing (unconditionally) that four rounds are not suf- 
ficient to securely compute the coin-tossing functionality for any super- 
logarithmic number of coins; this rules out 4-round protocols for other 
natural functionalities as well. Next, we construct protocols for securely 
computing any (randomized) functionality using only hve rounds. Our 
protocols may be based either on certified trapdoor permutations or ho- 
momorphic encryption schemes satisfying certain additional properties. 
The former assumption is implied by, e.g., the RSA assumption for large 
public exponents, while the latter is implied by, e.g., the DDH assump- 
tion. Finally, we show how our protocols may be modified - without 
increasing their round complexity and without requiring erasures - to 
tolerate an adaptive malicious adversary. 



1 Introduction 

Round complexity measures the number of messages that parties need to ex- 
change in order to perform some joint task. Round complexity is a central mea- 
sure of efficiency for any interactive protocol, and much research has focused on 
improving bounds on the round complexity of various cryptographic tasks. As 
representative examples (this list is not exhaustive), we mention work on upper- 
and lower-bounds for zero-knowledge proofs and arguments [6,7,19,27,28,40], 
concurrent zero-knowledge [13, 15, 17, 35, 41, 42], and secure two-party and multi- 
party computation [4, 5, 10, 11, 14, 21-23, 31-34, 37, 43]. The study of secure two- 
party computation is fundamental in this regard: not only does it encompasses 
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functionalities whose round-complexity is of independent interest (such as coin 
tossing or the zero-knowledge functionality), but it also serves as an important 
special case in the study of secure computation. 

Yao [43] presented a constant-round protocol for secure two-party computa- 
tion when the adversarial party is assumed to be honest-hut- curious (or passive). 
Goldreich, Micali, and Wigderson [25,29] extended Yao’s result, and showed a 
protocol for secure multi-party computation (and two-party computation in par- 
ticular) tolerating malicious (or active) adversaries. Unfortunately, their proto- 
col does not run in a constant number of rounds. Recently, Lindell [37] gave the 
first constant-round protocol for secure two-party computation in the presence of 
malicious adversaries; he achieves this result by constructing the first constant- 
round coin-tossing protocol (for polynomially-many coins) and then applying 
the techniques of [29] . The number of rounds in the resulting protocol for secure 
two-party computation is not specified by Lindell, but is on the order of 20-30. 

The above works all focus on the case of a non-adaptive adversary. A general 
methodology for constructing protocols secure against an adaptive adversary is 
known [12], and typically requires additional rounds of interaction. 

Lower bounds on the round-complexity of secure two-party computation with 
respect to black-box^ proofs of security have also been given. (We comment 
further on black-box bounds in Section 1.2.) Goldreich and Krawczyk [28] showed 
that, assuming NP % BPP, zero-knowledge (ZK) proofs or arguments for NP 
require 4 rounds. Since ZK proofs (of knowledge) are a particular example of 
a two-party functionality, this establishes a lower bound of 4 rounds for secure 
two-party computation. Under the same complexity assumption, Lindell [38] has 
shown that for some polynomial p, secure coin-tossing of p{k) coins requires at 
least 4 rounds. 

1.1 Our Results 

Here, we exactly characterize the (black-box) round complexity of secure two- 
party computation by improving the known bounds. In particular: 

Lower bound: We show that 5 rounds are necessary for securely tossing any 
super-logarithmic (in the security parameter) number of coins, with respect to 
black-box proofs of security. Thus implies a 5-round black-box lower bound for 
a number of other (deterministic) functionalities as well. Beyond the implica- 
tions for the round complexity of secure computation, we believe the result is 
of independent interest due to the many applications of coin-tossing to other 
cryptographic tasks. 

The result of Goldreich and Krawczyk [28] mentioned above implies a black- 
box lower bound of five rounds for the “symmetric” ZK functionality (where the 
parties simultaneously prove statements to each other) - and hence the same 
lower bound on the black-box round complexity of secure two-party computation 

^ Throughout this paper, “black-box” refers to black-box use of an adversary’s 
code/circuit (and not black-box nse of a cryptographic primitive, as in [30]). A defi- 
nition of black-box proofs of security is given in Appendix A. 
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of general functionalities - assuming NP ^ BPP. In contrast, our lower bound 
holds unconditionally. 

Matching upper bound: As our main result, we construct 5-round protocols 
for securely computing any (randomized) poly-time functionality in the presence 
of a malicious adversary. Our protocols may be based on various cryptographic 
assumptions, including certified, enhanced trapdoor permutations (see Defini- 
tion 1 and Remark 1), or homomorphic encryption schemes satisfying certain 
additional properties. The former may be based on, for example, the RSA as- 
sumption for large public exponents, while the latter may be based on, for ex- 
ample, the decisional Diffie-Hellman (DDH) assumption in certain groups. Due 
to space limitations, we focus on the (more difficult) case of certified trapdoor 
permutations, and refer the reader to the full version for protocols based on 
alternate assumptions. 

In Section 4.1, we sketch how our protocols can be extended - without in- 
creasing the round complexity and without requiring erasures - to tolerate an 
adaptive adversary. The necessary cryptographic assumptions are described in 
more detail there. 

1.2 A Note on Black-Box Lower Bounds 

Until the recent work of Barak [1,2], a black-box impossibility result was gen- 
erally viewed as strong evidence for the “true” impossibility of a given task. 
Barak showed, however, that non-black-box use of an adversary’s code could, 
in fact, be used to circumvent certain black-box impossibility results [1]. Never- 
theless, we believe there is still an important place in cryptography for black-box 
impossibility results for at least the following reasons: 

1. A black-box impossibility result is useful insofar as it rules out a certain 
class of techniques for solving a given problem. 

2. With respect to our current understanding, protocols constructed using non- 
black-box techniques, currently seem inherently less efficient than those con- 
structed using black-box techniques. 

It remains an interesting open question to beat the lower bound given in this 
paper using non-black-box techniques, or to prove that this is impossible. 

1.3 Discussion 

Yao’s results [43] give a 4-round protocol secure against honest-but- curious ad- 
versaries, assuming the existence of enhanced [26, Sec. C.l] trapdoor permuta- 
tions (an optimal 3-round protocol secure against honest-but-curious adversaries 
can be constructed based on the existence of homomorphic encryption schemes) . 
Our lower bound shows that additional rounds are necessary to achieve security 
against the stronger class of malicious adversaries. Our upper bound, however, 
shows that (at least in the case of trapdoor permutations) a single (i.e., fifth) 
additional round suffices. 
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Our technique for achieving security against adaptive adversaries applies only 
to adversaries who corrupt at most one of the players. An interesting open ques- 
tion is to construct a constant-round protocol tolerating an adaptive adversary 
who can potentially corrupt both players. 

2 Definitions and Cryptographic Preliminaries 

We omit the (completely standard) definitions of security for two-party com- 
putation used in this work, which follow [9, 10,25,39]. However, we provide in 
Appendix A our definition of black-box simulation which is used to prove the 
lower bound of Section 3. 

We assume the reader is familiar with the cryptographic tools we use and refer 
the reader elsewhere for definitions of non-interactive (perfectly binding) com- 
mitment schemes [24] , 3-round witness-indistinguishable (WI) proofs of knowl- 
edge [20, 24], witness-extended emulation for proofs/arguments of knowledge [37], 
and the Feige-Shamir 4-round ZK argument of knowledge [18, 19]. We note that 
all the above may be constructed based on the existence of certified, enhanced 
trapdoor permutations. 

To establish notation, we provide here our working definitions of trapdoor 
permutations, hard-core bits, and Yao’s garbled circuit technique. We also discuss 
equivocal commitment, and show a new construction of this primitive. 
Trapdoor permutations. For the purposes of the present abstract, we use the 
following simplified definition of trapdoor permutations (but see Remark 1): 

Definition 1. Let !F be a triple of ppt algorithms (Gen, Eval, Invert) such that 
z/ Gen(l^) outputs a pair (a,td), then Eval(a, •) is a permutation over {0,1}^ 
and lnvert(td, •) is its inverse. T is a trapdoor permutation family if the 
following is negligible in k for all poly-size circuit families {Ai}: 

Pr[(a, td) ^ Gen(l''); y ^ {0, 1}'=; x ^ Ak(a, y) : Eval(a, x) = y]. 

We additionally assume that T satisfies (a weak variant of) “certifiability 
namely, given some a it is possible to decide in polynomial time whether Eva I (a, •) 
is a permutation over {0, 1}^. 

For notational convenience, we let (a,td) be implicit and will simply let f(-) 
denote Eval(a, •), and f“^(-) denote lnvert(td, •) (where a, td are understood from 
the context). Of course, can only be efficiently evaluated if td is known. 

Remark 1. The above definition is somewhat less general than others that have 
been considered (e.g., that of [24, Def. 2.4.5]); in particular, the present defini- 
tion assumes a domain of {0, 1}^ and therefore no “domain sampling” algorithm 
is necessary. Furthermore, the protocol of Section 4 does not immediately gener- 
alize for trapdoor permutations requiring such domain sampling. Nevertheless, 
by introducing additional machinery it is possible to modify our protocol so that 
it may be based on any family of enhanced trapdoor permutations (cf. [26, Sec. 
C.l]) satisfying the certifiability condition noted above. For simplicity, however. 
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we use the above definition in proving our results and defer the more complicated 
protocol (and proof) to the full version. 

Hard-core bits. We assume the reader is familiar with the notion of hard-core 
bits for any trapdoor permutation family (see [24]), and thus we merely describe 
the notation we use. Let H = {hk '■ {0, 1}^ ^ {0, 1}} be a hard-core bit for some 
trapdoor permutation family T (we will let k be implicit, and set h = hk)', thus 
(informally), h{z) is “hard” to predict given f(z). We extend this notation to a 
vector of k hard-core bits in the following way: 

h{z)‘^^^h{z)\h{f{z))\---\h{f’^-\z)). 

Now (informally), h{z) “looks pseudorandom” given f^(z). 

Yao’s “garbled circuit” . Our secure computation protocol uses as a building 
block the “garbled circuit” technique of Yao [43] which enables constant-round 
secure computation for honest-hut- curious adversaries. We abstract Yao’s tech- 
nique, and only consider those aspects of it which are necessary for our proof of 
security. In what follows, is a description of a two-input/single-output circuit 
whose inputs and output have the same length k (yet the technique may be 
generalized for inputs and output of arbitrary polynomial lengths) . Yao’s results 
give PPT algorithms Yaoi, Yao2 for which: 

— Yaoi is a randomized algorithm which takes as input a security parameter 1^, 
a circuit F, and a string y G {0, 1}^. It outputs a “garbled circuit” circuit and 
input-wire labels Zi_o, . ■ • , ^fc, 0 ; ^fe,i G {0,1}^. The “garbled circuit” 
may be viewed as representing the function F{-,y). 

— Yao 2 is a deterministic algorithm which takes as input 1^, a “garbled cir- 
cuit” circuit, and k values Z-y, . . ■ , Zk G {0, 1}^. It outputs either an invalid 
symbol _L, or a value v G {0, 1}^. 

(When k is clear from the context, we omit it.) 

We briefly describe how the above algorithms may be used for secure com- 
putation in the honest-but-curious setting. Let player 1 (resp., 2) hold input 
X (resp., y), and assume that player 1 is to obtain the output F{x,y). First, 
player 2 computes (circuit, {Zi h}) ^ Yaoi(F, y) and sends circuit to player 1. 
Then, the two players engage in k instances of oblivious transfer: in the in- 
stance, player 1 enters with “input” Xi, player 2 enters with “input” {Zi^g, Zi^i), 
, d©f 

and player 1 obtains the “output” Zi = Zi^^i- Player 1 then computes v = 
Yao2(circuit, Z\, . . . , Zk) and outputs v. 

A 3-round protocol for oblivious transfer (OT) based on trapdoor permu- 
tations may be constructed as follows (we remark that using number-theoretic 
assumptions, 2-round OT is possible): Let player 1 have input b and player 2 have 
input strings Zq, Z\ G {0, 1}^ (the goal is for player 1 to obtain Zh). Player 2 be- 
gins by generating trapdoor permutation (f, f“^) and sending f to player 1. Next, 
player 1 chooses random Zq, z[ G {0, 1}^, sets Zb = 1^(2^) and zj, = z^, and sends 
Zq,zi to player 2. Finally, player 2 computes Wq = Zq ® h{f~^{zo)), computes 
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Wi analogously, and sends Wq,Wi to player 1. Player 1 can then easily recover 
Zb. (A proof of security for essentially the above protocol appears in [25].) Note 
that in the honest-but-curious setting it is secure to run polynomially-many 
executions of the above in parallel. 

Putting everything together, we obtain the following 3-round protocol for 
secure computation of any single-output functionality in the honest-but-curious 
setting: 

Round 1 Player 2 runs Yaoi to generate (circuit, ;,}). He then sends circuit 
and the f’s for oblivious transfer. 

Round 2 Player 1 sends k pairs {zq,Zi). 

Round 3 Player 2 sends k pairs (Wo,Wi). 

Output computation Player 1 can now recover the appropriate {Zi} and thus 
compute the output value v using Yao2, as discussed above. 

Finally, any protocol for secure computation of single-output functionalities can 
be used for secure computation of two-output functionalities using only one 
additional round [25, Prop. 7.2.11]. Furthermore, any protocol for secure com- 
putation of deterministic functionalities may be used for secure computation of 
randomized ones (with the same round complexity) [25, Prop. 7.4.4]. 

With the above in mind, we describe the properties required of Yaoi,Yao2. 
We first require correctness: for any F, y, any output (circuit, {Zi}) of Yaoi(F, y), 
and any x we have F(x, y) = Yao2(circuit, > Zk^xk)- The algorithms also 

satisfy the following notion of security: there exists a simulator Yao-Sim which 
takes X, v as input, and which outputs circuit and a set of k input-wire labels {Zi}] 
furthermore, the following distributions are computationally indistinguishable 
(by poly-size circuit families): 

1 . {(circuit, {Zj,h}) ^ Yaoi (A, y) : (circuit, {Zi, a; J)| 

2 . < u = F(x, y) : Yao-Sim(a;, f) > 

^ J x^y 

Algorithms (Yaoi, Yao2) satisfying the above definitions may be constructed as- 
suming the existence of one-way functions. 

Equivocal commitment. Although various notions of equivocal commitment 
have appeared previously, we present here a definition and construction specific 
to our application. Informally, an equivocal commitment scheme is an interactive 
protocol between a sender and a receiver which is computationally hiding and 
computationally binding in a real execution of the protocol. However, in a simu- 
lated execution of the protocol (where the simulator interacts with the receiver), 
the simulator is not bound to any particular value but can instead open the com- 
mitment to any desired value. Furthermore, for any (non-uniform) ppt receiver 
R and any string x, the view of R when the real sender commits/decommits to 
X is computationally indistinguishable from the view of R when the simulator 
“commits” in an equivocal way and later opens this commitment as x. We defer 
a formal definition, especially since one follows easily from the construction we 
now provide. 
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We construct an equivocal commitment scheme for a single bit in the follow- 
ing way: let Com be a non-interactive (perfectly binding) commitment scheme. 
To commit to a bit x, the sender chooses coins uji,uj2 and computes C = 
Eq uiv(x;0Ji,0J2) Com(a;; wi)||Com(a:; W 2 ). It sends C to the receiver and per- 
forms a zero-knowledge proof/ argument that C was constructed correctly (i.e., 
that there exist such that C = Equiv(a;; wi, W 2 )). The receiver rejects in 

case the proof/argument fails. To decommit, the sender chooses a bit b at ran- 
dom and reveals x,ujb- Note that a simulator can “equivocate” the commitment 
by setting C = Com(a;; wi)||Com(a;; W 2 ) (where x is chosen at random in {0, 1}), 
simulating the zero-knowledge step, and then revealing wi or U 2 depending on 
X and the bit to be revealed. By committing bit-by-bit, the above extends easily 
to yield an equivocal commitment scheme for polynomial-length strings. 



3 The Round Complexity of Coin Tossing 

We show that any protocol for securely flipping a super-logarithmic number of 
coins (which is proven secure via black-box simulation) requires at least 5 rounds. 
(The reader is referred to Appendix A for a definition of black-box simulation.) 
More formally: 

Theorem 1 . Letp{k) = co{logk), where k is the security parameter. Then there 
does not exist a 4 -round protocol for tossing p{k) coins which can he proven secure 
via black-box simulation. 

The above theorem refers to the case where both parties are supposed to receive 
the resulting coin as output. 

Before starting our proof, we note that the above theorem is “tight” in the 
following two regards: first, for any p{k) = O(logfc), 3-round protocols (proven 
secure using black-box simulation) for tossing p{k) coins are known [8,25,29], 
assuming the existence of a non-interactive commitment scheme. Furthermore, 
our results of Section 4 imply a 5-round protocol (based on the existence of 
trapdoor permutations) for tossing any polynomial number of coins. In fact, 
we can also construct a 5-round protocol for tossing any polynomial number of 
coins based on the existence of a non-interactive commitment scheme; details 
will appear in the final version. 

Proof (sketch). We assume (toward a contradiction) some 4-round protocol U 
for tossing p = p{k) coins. Without loss of generality, we may assume that player 
1 sends the final message of II (since in the ideal model, only player 1 has the 
ability to abort the trusted party); hence, player 2 must send the first message of 
n . Consider a real-model adversary A\, corrupting player 1, who acts as follows: 
Let Good C {0, be some set of “small” but noticeable size, whose exact 

size we will fix later. A\ runs protocol II honestly until it receives the third 
message, and then computes the value c of the tossed coin. If c S Good, then A\ 
completes execution of the protocol honestly and outputs some function of its 
view; otherwise, Ai aborts with output T. 
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Black-box security of 77 implies the existence of a black-box ideal-model 
adversary B\ satisfying the following property (informally): conditioned upon 
receiving a coin c G Good from the trusted party, with all but negligible proba- 
bility Bi “forces” an execution with A\ in which A\ does not abort and hence 
Til’s view is consistent with some coin d € Good (for our proof, it does not 
matter whether c' = c or not) . 

We next define a real-model advCTsary A 2 , corrupting player 2, acting as 
follows: A 2 incorporates the code of 77i and - simulating the trusted party for 
Bi - feeds Bi a coin c randomly chosen from Good. By the above,^77i can 
with overwhelming probability “force” an execution with in which Ai sees a 
view consistent with some c' G Good. We show that we can use B\ to “force” 
an execution with (the honest) A± in which A± outputs some c' G Good with 
sufficiently high probability. Of course, TI 2 (and hence B\) interacts with the 
honest Ai, and not with adversarial A\] thus, in particular, TI 2 (and hence B\) 
cannot rewind Ai. However, since Ai acts “essentially” like the honest Ai (with 
the only difference being due to aborts), we can show that TI 2 “forces” Ai to 
output a coin c' G Good with at least some inverse polynomial probability l/q{k), 
where q{k) relates to the number of queries Bi makes to its oracle for A\. 

Choosing Good such that |Good|/2^ < l/2q{k), we derive a contradiction: 
in any ideal-model execution, an honest player 1 outputs a coin in Good with 
probability at most l/2q{k); in the real world, however, A 2 forces an honest Ai 
to output a coin in Good with probability at least l/q{k). This implies a simple, 
poly-time distinguisher with non-negligible advantage at least l/2q(k). 

Remark 2. Theorem 1 immediately extends to rule out 4-round, black-box 
protocols for other functionalities (when both parties are supposed to receive 
output), and in particular some natural, deterministic ones. For example, the 
theorem implies that 4 rounds are not sufficient for computing the “xor” func- 
tionality (i.e., F{x,y) = x®y) on inputs of super-logarithmic length, since any 
such protocol could be used to toss a super-logarithmic number of coins (in the 
same number of rounds). This can be generalized in the obvious way. 



4 A 5-Round Protocol for Secure Computation 

Here, we prove the existence of a 5-round protocol for secure computation of gen- 
eral functionalities based on the existence of (certified) trapdoor permutations 
(see Definition 1 and Remark 1). To simplify matters, we describe a 4-round 
protocol for secure computation of deterministic functionalities in which only 
the first party receives output; this suffices for our main result since any such 
protocol can be used for secure computation of randomized functionalities in 
which both parties receive (possibly different) outputs, at the cost of one more 
(i.e., fifth) additional round [25, Propositions 7.2.11 and 7.4.4]. 

Before describing our protocol, we provide some intuition about the “high- 
level” structure of our protocol and highlight some techniques developed in the 
course of its construction. We stress that our protocol does not merely involve 
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“collapsing” rounds by running things in parallel - new techniques are needed to 
obtain a round-optimal protocol. At the core of our protocol is Yao’s 3-round pro- 
tocol tolerating honest-but- curious adversaries (it will be helpful in what follows 
to refer to the description of Yao’s “basic” protocol in Section 2) . The standard 
way of adding robustness against malicious adversaries (see [25]) is to “compile” 
this protocol by having the parties (1) commit to their inputs; (2) run (modified) 
coin-tossing protocols, so each party ends up with a random tape and the other 
party receives a commitment to this tape; and (3) run the basic Yao protocol 
with ZK proofs/ arguments of correct behavior (given the committed values of 
the input and random tape) at each round. We may immediately note this ap- 
proach will not suffice to obtain a 4-round protocol, since a ZK proof/argument 
for the first round of Yao’s protocol alone will already require 4 rounds. Instead, 
we briefly (and informally) summarize some of the techniques we use to achieve 
a 4-round protocol. In the following (but not in the more formal description 
that follows), we number the rounds from 0-3, where round 0 corresponds to an 
“initialization” round, and rounds 1-3 correspond to rounds 1-3 of Yao’s basic 
protocol. 

— We first observe that in Yao’s protocol a malicious player 2 gains nothing by 
using a non-random tape and thus coin-tossing for this party is not needed. 

— It is essential, however, that player 1 is unable to choose his coins in round 
two. However, full-blown coin-tossing is unnecessary, and we instead use a 3- 
round sub-protocol which “forces” player 1 to use an appropriate set of coins. 
(This sub-protocol is run in rounds 0-2.) This component and its analysis 
are based loosely on earlier work of Barak and Lindell [3]. 

— When compiling Yao’s protocol, player 1 may send his round-two message 
before the proof of correctness for round one (being given by player 2) is com- 
plete (here, we use the fact that the trapdoor permutation family being used 
is “certifiable”). We thus construct our protocol so the proof of correctness 
for round one completes in round three. To obtain a proof of security, we 
require player 2 to delay revealing circuit until round three. Yet, a proof of 
security also requires player 2 to be committed to a circuit at the end of the 
round one. We resolve this dilemma by having player 2 commit to circuit in 
round one using an equivocal commitment scheme. 

— Finally, use a specific WI proof of knowledge (from [36]; see also [18]) with the 
property that the statement to be proved (and, by implication, a witness) need 
not be known until the last round of the protocol, yet soundness, completeness, 
and witness-indistinguishability still hold. (The proof of knowledge aspect 
must be dealt with more carefully; see Appendix B.) Furthermore, this proof 
system has the property that the first message from the prover is computed 
independently of the statement being proved (as well as its witness); we use 
this fact when constructing an adaptively-secure protocol in Section 4.1. 

We also construct a novel 4-round ZK argument of knowledge with similar 
properties (see Appendix B), by modifying the Feige-Shamir ZK argument 
of knowledge [19]. Our new protocol may be of independent interest. 
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Let T = {FfejfegN be a polynomial-size (deterministic) circuit family repre- 
senting the functionality of interest, where takes two fc-bit inputs and re- 
turns a /c-bit output to player 1. (Clearly, the protocol extends for arbitrary 
input/output lengths. We have also mentioned earlier how the protocol may be 
extended for randomized, two-output functionalities.) When k is understood, we 
write F instead of Let x = x\ ■ ■ ■ Xk & 1}^ represent the input of player 1, 

let y = j/i • • • yfc G {0, 1}^ represent the input of player 2, and let v = F{x, y). In 
the following, i always ranges from 1 to k, and b ranges from 0 to 1. 

First round. The protocol begins with first player proceeding as follows: 

1. Player 1 chooses 2k values {?'i,o, ’"i.i, ■ • ■ ? at random from 

{0,1}^. It then chooses 2k random coins {oJi,b} and computes Cortii^b = 
Com(ri_b; Wi^b), where Com is any perfectly-binding commitment scheme. 

2. Player 1 also prepares the first message (which we call PoKi) of a 3-round 
witness indistinguishable proof of knowledge (for a statement which will 
be fully determined in the third round; see the earlier remarks). For later 
reference, define statementi as the following: 

3 {{n,u!i)}l<^<k s.t. Vi : (Comi^o = Com{n;u!i) V Comi^i = Com{n;u!i)) . 

(Informally, statementi represents the fact that player 1 “knows” either the 
decommitment of Comi o or the decommitment of Comi i for each i.) 

3. Player 1 also prepares the first message (acting as the verifier) of the modified 
Feige-Shamir ZK argument of knowledge (see Appendix B). We denote this 
message by FS'i. 

4. The message sent by player 1 contains {Comi b}, PoKi, and FS'i. 

Second round. Player 2 proceeds as follows: 

1. Player 2 generates 2k trapdoor permutations (denoted {(b,b, fi~b^)}) using 2k 
invocations of Gen(l^), chooses 2k values {r' at random from {0, 1}^, and 
prepares the second message (denoted P 0 K 2 ) for the WI proof of knowledge 
initiated by player 1 in the previous round. 

2. Next, player 2 generates a “garbled circuit” (cf. Section 2) for the func- 
tionality F, based on its own input y. This involves choosing random coins 
n and computing (circuit, {Zi_b}) = Yaoi(F, y; 17). Player 2 also computes 
commitments to the {Zi i,}: that is, it chooses coins {w' j,} and computes 
Comi^b = Com(Zj,b; w'j,). 

3. Player 2 next chooses random coins C and generates an equivocal commit- 
ment Equiv = Equiv(circuit; C). 

4. Next, player 2 prepares the second message (denoted FS 2 ) for the modified 
Feige-Shamir ZK argument of knowledge (for a statement which will be fully 
determined in the fourth round; cf. Appendix B). For future reference, let 

statement 2 be the following: there exist ^y, 17, circuit, {Zi_b}, {w' f,}, s.t.: 

(a) (circu it, {Z ,,b}) = Yaoi(F,y; 17); 

(b) Vz,5: Cortij^b = Com(Zi_b; w' ,,); and 
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(c) Eq uiv = Equiv(circuit; C). 

(Informally, statement2 states that player 2 performed the preceding two 
steps correctly.) 

5. The message includes {U,b}, {,}, {Corrii^h}, Equiv, P0K2, and FS2. 

Third round. Player 1 proceeds as follows: 

1. If any of the {fi,b} are not valid^, player 1 aborts. Otherwise, player 1 will 
use k parallel invocations of oblivious transfer to obtain the input- wire labels 
corresponding to its input x. Formally, for each i player 1 prepares values 

in the following way: 

— If a;i = 0, choose random 2 ' q G {0, 1}^ and set Zi^ = ffg(z' g). Also, set 
Zi,i = (B r[ I (recall, was committed to by player 1 in the first 
round, and r' ^ was obtained from player 2 in the second round) . 

— If a;i = 1, choose random z' ^ G {0,1}^, set = ^ii{z[{), and set 
z^fi = n,o 0 r'_g. 

2. Define statements as follows: 

3 ( (r^ , UJj) } i< s.t. Vz . 

- (Com^^o = Com(ri; UJ^) A z,,g = r* 0 r'_g) or 

- (Com*,! = Com(ri;u;j) A Zi,i = r* 0 r' 

Informally, this says that player 1 correctly constructed the {zi,b} values. 

3 . Player 1 then prepares the final message (denoted P0K3) for the proof of 
knowledge begun in round 1 . The statement^ to be proved is: statementi A 
statements. Player 1 also prepares the third message for the modified Feige- 
Shamir ZK protocol (denoted FSg). 

4. The message includes {zi^b}, PoKs, and FSg. 



Fourth round. The second player proceeds as follows: 

1. If either PoKg or FSg would cause rejection, player 2 aborts. Otherwise, 
player 2 completes the oblivious transfer in the standard way. Namely, for 
each Zi^b sent in the previous round, player 2 computes z' ^ f~{f (zi^b) and 
xor’s the k resulting hard-core bits with the corresponding input- wire labels 
thusly: Wi^b = h{z[ ,^) 0 Z^^b- 

2 . Define statement4 as follows: 

3 ^i,b)}l<i<fe;6e{0,l} S.t. Vi, 6 : 



(Com,,h = Com(Z,,h; w'_J) f\ (f^i,(z'_J = Zi,b) f\ {W,,b = h{zlj,) 0 Zi^b) ■ 



Informally, this says that player 2 performed the oblivious transfer correctly. 
3. Player 2 prepares the final messages (denoted FS 4 ) for the modified Feige- 
Shamir protocol. The statement to be proved is: statement2 A statements. 

^ Recall (cf. Definition 1) that the trapdoor permutation family is certifiable. 

® An honest player 1 actually knows multiple witnesses for statementi. For concrete- 
ness, we have the player choose one of these at random to complete the proof. 
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4. Finally, player 2 decommits Equiv as circuit (recall from Section 2 how de- 
commitment is done for equivocal commitments). 

5 . The message includes the {Wi^t}, circuit (and the corresponding decommit- 
ment), and FS4. 



Output computation. The first player concludes the protocol as follows: If 
FS(i or the decommitment of circuit would cause rejection, player 1 aborts. 
Otherwise, by completing the oblivious transfer (in the standard way) player 

1 obtains Zi (recall, x is the input of player 1) and computes v = 

Yao 2 (circuit, Z \, . . . , Zk). If v yfT, it outputs v. Otherwise, it aborts. 

Sufficient assumptions. As noted in Section 2, every component of the above 
protocol may be based on the existence of a trapdoor permutation family (the 
certifiability property is only needed for the verification performed by player 1 at 
the beginning of the third round). Furthermore, as noted in Remark 1 , although 
the description of the protocol (and its proof of security) use the definition of 
a trapdoor permutation family given by Definition 1 , it is possible to adapt the 
protocol so that its security may be based on any family of (certified) enhanced 
trapdoor permutations, as per the definitions of [24, 26] . 

Theorem 2. Assuming the existence of a trapdoor permutation family, the above 
protocol n securely computes functionality F. 

Proof. We separately prove two lemmas dealing with possible malicious behavior 
of each of the parties; the theorem follows. We first consider the case when 
player 2 is malicious: 



Lemma 1. Let (^ 1 ,^ 2 ) be a pair of (non-uniform) ppt machines in which Ai 
is honest. There exist a pair of (non-uniform) expected polynomial-time machines 
{Bi,B 2) such that 



( 1 ) 



Proof (sketch). Clearly, we may take Bi to be honest. We assume that A2 is 
deterministic, and construct B2 using black-box access to A2 as follows: 

1. B2 runs a copy of A2 internally, passing to it any auxiliary information z. 
To emulate the first round of the protocol, B2 acts exactly as an honest 
player 1, generates a first-round message, and passes this message to A2. 
In return, B2 receives a second-round message which includes, in particular, 
{r'j,}. If an honest player 1 would abort after receiving this second-round 
message, B2 aborts (without sending any input to the trusted party) and 
outputs whatever A2 outputs. 

2 . Otherwise B2 generates a third-round message exactly as an honest player 1 

would, with the following exception: for all i, b, it sets Note 

in particular that B2 can easily compute P 0 K 3 , since both statementi and 
statements are true. It passes the third-round message to A2, and receives 
in return a fourth-round message. 
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3. If an honest player 1 would abort after receiving the fourth-round message, 
B 2 aborts (without sending any input to the trusted party) and outputs 
whatever A 2 outputs. Otherwise, B 2 attempts to extract^ from A 2 an input 
value y (cf. step 4 of the second round in the description of the protocol) . If 
extraction fails, B 2 aborts and outputs fail. 

4. Otherwise, B 2 sends y to the trusted party. It then stops and outputs what- 
ever A 2 outputs. 

We may note the following differences between the ideal world and the real 
world: (1) in the second round, B 2 sets Zi^h = Vi^b ® & for b b, whereas an 

honest player 1 does this only for i, b such that Xi yf b; also (2) B2 passes the 
input value y to the trusted party (and hence player 1 will receive the value 
F(x,y) from this party), whereas in the real world player 1 will compute an 
output value based on the circuit and other values it receives from A 2 in the 
fourth round. Nevertheless, we claim that Equation (1) holds based on (1) the 
hiding property of the commitment scheme used in the first round and (2) the 
argument of knowledge (and hence soundness) property of the modified Feige- 
Shamir protocol (cf. Appendix B), as well as the correctness of the Yao “garbled 
circuit” construction. A complete proof appears in the full version. 



Lemma 2. Let (^ 1 ,^ 2 ) be a pair of (non-uniform) ppt machines in which A2 
is honest. There exist a pair of (non-uniform) expected polynomial-time machines 
(i?i, i?2) such that 



(2) 



Proof (sketch). Clearly, we may take B2 to be honest. We assume that Ai is 
deterministic, and construct B\ using black-box access to Ai as follows: 



1. Bi runs a copy of Ai internally, passing to it any auxiliary information z 
and receiving a first-round message from Ai. Next, B\ emulates the sec- 
ond round of the protocol as follows: it generates {fi,b}, {r' j,}, and P0K2 
exactly as an honest player 2. All the commitments Corrii^f,, however, are 
random commitments to 0^. Furthermore, commitment Equiv is set up in 
an “equivocal” way (cf. Section 2) so that B\ will later be able to open this 
commitment to any value of its choice. B\ prepares FS 2 using the ZK sim- 
ulator for the modified Feige-Shamir protocol (cf. Appendix B). Bi passes 
the second-round message thus constructed to Ai, and receives in return a 
third-round message. If an honest player 2 would abort after receiving this 
message, B\ aborts (without sending any input to the trusted party) and 
outputs whatever A\ outputs. 



^ Technically, B 2 runs a witness- extended emulator [37] for the modified Feige-Shamir 
proof system, which results in a transcript t and a witness w. This is what we mean 
when we informally say that B 2 “attempts to extract” . 
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2. Otherwise, B\ attempts to extract (cf. footnote 4) values {{ri, 0 Ji)}i<i<k 
corresponding to (half) the commitments {Corrii_h} sent by A\ in the first 
round. If extraction fails, Bi outputs fail. Otherwise, let bi G {0, 1} be such 
that Corrii^f,. = Com(ri; oji). Bi then defines a string x = xi ■ ■ ■ Xk as follows: 

If Zi^bi = 6 j then Xi = bf, otherwise, Xi = bi. 

{xi is Bis “guess” as to which input-wire label A\ is “interested in”.) B\ 
sends the string x thus defined to the trusted party, and receives a value v in 
return. It then runs Yao-Sim(a;, n) to generate a garbled circuit circuit along 
with input-wire labels {Zi\ (cf. Section 2). B\ then prepares the “answers” 
{Wi,b} to the oblivious transfer as follows, for each i: it correctly sets Wi^^i = 
® Zi, but chooses Wi^^i at random. 

3. Bi emulates the fourth round of the protocol as follows: it sends the {Wi^t} 
as computed above, sends circuit as computed above (note that the cor- 
responding decommitment can be given since Equiv was constructed in an 
“equivocal” way), and uses the simulator for the modified Feige-Shamir pro- 
tocol to compute FS 4 (cf. Appendix B). Bi passes the final message thus 
constructed to Ai, and outputs whatever Ai outputs. 

We note (informally) the following differences between the ideal world and the 
real world: ( 1 ) {Cornish} are commitments to 0 ^ rather than to “real” input-wire 
labels; (2) Equiv is set up so that Bi can “equivocate” and later open this as 
any value it chooses; (3) the modified Feige-Shamir ZK argument is simulated 
rather than real; (4) the answers {Wi^Si} are “garbage” (where x is Bis guess as 
to the “input” of Ai); and (5) the garbled circuit is constructed using Yao-Sim 
rather than Yaoi. Nevertheless, we claim that Equation (2) holds. Due to lack 
of space, a complete proof appears in the full version. 



4.1 Handling Adaptive Adversaries 

We briefly sketch how the protocol above can be modified - without increasing 
the round complexity - to provide security against an adaptive adversary who 
can monitor communication between the parties and decide whom to corrupt 
at any point during the protocol based on this information. (We consider only 
an adversary who can corrupt at most one of the parties.) In brief, we modify 
the protocol by using a (public-key) adaptively-secure encryption scheme [ 12 ] to 
encrypt the communication between the two parties. Two issues arise: 

1. The encryption scheme of [12] requires a key-generation phase which would 
necessitate additional rounds. We avoid this extra phase using the assump- 
tion of simulatable public-key cryptosystems [16] (see below). The existence 
of such cryptosystems is implied in particular by the DDH assumption [16]; 
see there for constructions based on alternate assumptions. 

2. Regardless of the encryption scheme used, one additional round seems nec- 
essary just to exchange public keys. To avoid this, we do not encrypt the 
first message from player 1 to player 2. Nevertheless, the modified protocol 
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is adaptively-secure: the proof uses the fact that the first round (as well as 
the internal state after the first round) is identical in both the real execution 
and the simulation for a malicious player 2 (cf. the proof of Lemma 1). 

The modified protocol. Before describing our construction of an adaptively- 
secure encryption scheme, we outline how it will be used to achieve adaptive 
security for our protocol. Let U denote the protocol given in the previous section. 
Our adaptively-secure protocol U' proceeds as follows: in the first round of 
n' , player 1 sends a message just as in the first round of 77, but also sends 
sufficiently-many public keys (for an adaptively-secure encryption scheme) to 
enable player 2 to encrypt the messages of rounds two and four. (The adaptively- 
secure encryption scheme we use only allows encryption of a single bit; therefore, 
the number of public keys sent by player 1 is equal to the bit-length of messages 
two and four in 77.) In the second round of 77', player 2 constructs a message as in 
77, encrypts this message using the corresponding public keys sent in round one, 
and additionally sends sufficiently-many public keys (for an adaptively-secure 
encryption scheme) to enable player 1 to encrypt the messages of rounds three 
and five. 77' proceeds by having the players construct a message just as in the 
corresponding round of 77 and then having them encrypt these messages using 
the appropriate public keys sent by the other player. 

We defer a proof of security for this construction to the final version. 

An adaptively-secure encryption scheme. Informally, a public-key cryp- 
tosystem for single-bit plaintexts is simulatable if (1) it is possible to obliviously 
generate a public key without learning the corresponding secret key, and also 
(2) given a public key, it is possible to obliviously sample a random (valid) ci- 
phertext without learning the corresponding message. We assume further that 
if a ciphertext is obliviously sampled in this way, then the probability that the 
corresponding plaintext will be a 0 or 1 is equal (or statistically close). See [16, 
Def. 2] for a formal definition. 

Given such a cryptosystem, our construction of an adaptively-secure en- 
cryption scheme for a single-bit is as follows: the receiver generates k pairs 
(pkifi^pki^i) of public keys by generating one key of each pair (selected at ran- 
dom) using the key-generation algorithm, and the other key using the oblivious 
sampling algorithm. This also results in a set of k secret keys (one for each pair 
of public keys). To encrypt a bit to, the sender proceeds as follows: for each 
index i, choose a random bit bi, set Cbi ^ £pki i,. (w) and choose Ci. using the 
oblivious sampling algorithm. Then send the k ciphertext pairs (Co,Ci). 

To decrypt, the receiver decrypts one ciphertext out of each pair using the 
secret key it knows, and sets the decrypted message equal to the majority of the 
recovered bits. Note that correctness holds with all but negligible probability 
since (on average) 3/4 of the 2k ciphertexts constructed by the sender decrypt to 
the desired message to (namely, the k ciphertexts encrypted using the legitimate 
encryption algorithm, along with (on average) 1 /2 of the remaining k ciphertexts 
chosen via the oblivious sampling algorithm). 

We defer a proof that this scheme is adaptively secure to the full version. 
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A Black-Box Simulation 

Typical definitions of security for two-party computation only require that for 
every pair of admissible real-world adversaries A there exists a pair of ideal-world 
adversaries B satisfying some relevant criterion (namely, indistinguishability of 
the resulting output distributions). Most work in this area, however, (and espe- 
cially prior to the work of Barak [ 1 ]) proves the existence of such a B via what 
is known as a hlack-hox simulation', this means that the ideal- model adversary 
Bi corresponding to the dishonest real-model adversary Ai is constructed using 
only oracle access to A. 

More formally, a black-box simulation for party 1 (with a completely anal- 
ogous definition for black-box simulation for party 2 ) implies the existence of 
a simulator for which the following holds: For any real-model adversary A\, 
let Bi[x, z',rA,rs) (where x,z are the inputs of B\ and r = (rA,rs) are the 
random coins of Bi) be defined by rg), where A\{x, z, ■ ; xa) de- 

notes the next-message function of Ai on the given inputs and random coins 
(we stress that is not explicitly given the auxiliary input z nor the random 
coins xa). Then A = (Ai, A2) and B = {Bi, B2) (where A2, B2 are just the hon- 
est algorithms) satisfy the relevant criterion. Furthermore, Si runs in expected 
polynomial-time, where each oracle call to Ai(x,z, ■ ',va) is counted as a single 
step. Finally (although this is not essential to our results), it is typical to as- 
sume that S\ is a uniform algorithm. Note that if Ai runs in strict polynomial 
time, the above implies that the entire algorithm B\ runs in expected polynomial 
time; furthermore, if Ai is uniform then so is B\ (on the other hand, if A\ is 
a non-uniform machine, then B\ will be too). We say that a protocol is proven 
secure via black-box simulation if the simulations for both parties are black-box. 

We stress a crucial point about the above: when we say Si runs in expected 
polynomial-time, we mean that there is a fixed polynomial q{-) such that the 
expected running time of Si on input x, when interacting with any Ai (and 
counting queries to Ai as a single step), is (?(|a;|). On the other hand, the expected 
running time of Bi (including the steps of Ai, and no longer counting each query 
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to Ai as a single step) cannot be bounded a priori by any fixed polynomial, as 
the running time of B\ will of course depend on the running time of A\. Of 
course, as noted above, if A\ runs in strict polynomial time q' {■) then Bi runs in 
expected time (at most) q'{-)q{-), which is polynomial. (Note that this definition 
of black-box simulation avoids the technical problem of, e.g., [28] regarding the 
need for Bi to feed Ai coins whose length depends on Ai and is not bounded 
a priori by any polynomial.) 

B Proof Systems Used in This Work 

We provide here a laconic sketch of the proof systems claimed in Section 4; 
further details and proofs will appear in the full version. We first describe the 
WI proof of knowledge of [36] (as described in [18]). 

We will be working with the fVP-complete language HC oi graph Hamil- 
tonicity, and thus assume statements to be proved take the form of graphs, 
while witnesses correspond to Hamilton cycles. If thm is a graph, we abuse no- 
tation and also let thm denote the statement “thm G HC” . We show how the 
proof system can be used to prove the following statement: thm A thm^, where 
thm will be included as part of the first message, while thm^ is only included in 
the last round (indeed, it will not be fixed until the third round begins). The 
proof system runs k parallel executions of the following 3-round protocol: 

1. The prover commits to two adjacency matrices for two randomly-chosen cycle 
graphs C, C . The commitment is done bit-by-bit using a perfectly-binding 
commitment scheme. 

2. The verifier responds with a single bit b, chosen at random. 

3. If 6 = 0, the prover opens all commitments. If 6 = 1, the prover sends two 
permutations mapping the cycle in thm (resp., thm') to C (resp., C"). For 
each non-edge in thm (resp., thm'), the prover opens the commitment at the 
corresponding position in C (resp., C"). 

4. The verifier checks that all commitments were opened correctly. If 6 = 0, the 
verifier additionally checks whether both decommitted graphs are indeed 
cycle graphs. If 6 = I, the verifier checks whether each non-edge in thm 
(resp., thm') corresponds to a non-edge in C (resp., C). 

Note that the prover does not need to know either thm or thm' (or the corre- 
sponding witnesses) until the beginning of the third round. However, we assume 
thm is fixed as part of the first-round message because this will enable us to 
claim stronger properties about the above proof system. 

Very informally, we claim that the proof system above satisfies the following: 

• It is complete and sound. In particular, the probability that an all-powerful 
prover can cause a verifier to accept when either thm or thm' are not true 
is at most 2“^. We stress that this holds even if the prover can adaptively 
choose thm' after viewing the second-round message of the verifier. 

• It is witness indistinguishable. 
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• It is a proof of knowledge for thm. (More formally, we can achieve a notion 
similar to that of witness-extended emulation [37] for thm.) We do not know 
whether such a claim holds for thm^ 

Note also that the first round of the above proof system (as well as the 
internal state of the prover immediately following this round) is independent of 
thm or the associated witness. We rely on this fact in Section 4.1. 

Next, we informally describe our modification of the Feige-Shamir ZK argu- 
ment of knowledge [19] which will allow the prover to prove thm A thm^, where 
thm is sent as part of the second round yet thm' is only sent as part of the last 
round (indeed, it need not be known until the beginning of that round). We use 
the notation used in the description of the Feige-Shamir protocol in [18, Prot. 
8.2.62]. Our modified protocol proceeds as follows: 

1. The first round is as in the original protocol, and includes values x\,X 2 . 

2. The prover chooses a random R € {0, 1}^^ and computes Equiv = Equiv(i?, C) 
(cf. Section 2). Let ok denote the statement that Equiv was formed correctly. 

3. Let thm denote the statement: (thm AoJ^(/(w') = Xx)y{f{w') = X 2 ) (this 
statement is reduced to a single graph thm). The prover sends Equiv and also 
the first message of the WI proof system described above. 

4. The verifier’s third message is as in the original protocol, except that the 
verifier additionally chooses and sends a random R' € {0, 1}^^. 

5. The prover decommits (as in Sec. 2) to R. Let prg be the statement that 

r = R(B R' is pseudorandom (i.e., 3s s.t. G(s) = r, for G a PRG). Let thm 
be the statement thm' V prg (reduced to a single graph thm ). The prover 

completes the WI proof system, as above, for the statement thm A thm . 

6. The verifier checks the decommitment of R, and verifies the proof as before. 

We claim the following about the above proof system: 

• It is complete and sound (for a poly-time prover) for thm and thm'. (As 
argued earlier, rounds 2-4 constitute a proof of knowledge for thm. As in [18] 
- relying on the one-wayness of / - this implies that if a poly-time prover 
can cause a verifier to accept with “high” probability, then a witness for 
thm A ok can be extracted with essentially the same probability. If ok is true, 
then with all but negligible probability prg will not be true. Soundness of 
the proof of knowledge sub-protocol then implies that thm is true. But this 
means that thm' is true.) 

• It is zero-knowledge. (In addition to simulating for thm as in [18], the sim- 
ulator also uses the equivocal commitment property to decommit to an R 
such that prg is true.) 

• It is an argument of knowledge for thm (we have already argued as much 
above) . 
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1 Introduction 

We live in perilous times. We live in times where a dirty bomb going off in lower 
Manhattan is not unimaginable. We live in times where the CIA interrogations 
of al Qaeda leaders were so harsh that the FBI would not let its agent participate 
[36]. We live in times when security and liberty are both endangered. 

We also live in times of unimaginable technical creativity. It is faster to use 
Instant Messaging to query a colleague halfway across the world than it is to 
walk down the hallway and ask the question, when Google can search four billion 
web pages faster than the time it takes to pull the right volume of the Oxford 
English Dictionary off the library shelf. We live surrounded by a plethora of 
communicating and computing devices — telephones, PDAs, cell phones, lap- 
tops, PCs, computers — and this is only the beginning of the communications 
revolution. 

September 11th presaged a radical change in terrorist intent, a radical change 
that few had anticipated. The U.S. government responded to September 11th 
in a number of ways, including the passage of the U.S. A. Patriot Act, which 
qualitatively extended the government’s electronic-surveillance capabilities. The 
Patriot Act engendered strong debate (though not in Congress, where the law 
passed handily). The most controversial issue regarding the changes in electronic- 
surveillance law was that the requirement that foreign intelligence be a “primary” 
reason for a Foreign Intelligence Surveillance Act (FISA) wiretap was modified 
to foreign intelligence need only be a “significant” reason for a FISA tap. 

Absent from the debates on the Patriot Act was an acknowledgement of 
the radical changes that had occurred in communications technologies since the 
passage of the first Federal wiretap statute in 1968. Communications technol- 
ogy has changed in numerous ways over the past forty years — there is now 
wide availability of mobile communications, a vast increase in connectivity, and 
packet-switched systems are being employed for telephony — but there has been 
no commensurate review of electronic-surveillance laws. We are in a peculiar 
state: we communicate using mobiles phones and laptops, but the laws govern- 
ing electronic surveillance were developed at a time of fixed-location circuit-based 
switching systems. Instead of a full-scale reevaluation of surveillance laws, over 
the last two decades we have pursued a path of minor tweaks to the electronic- 
surveillance laws. The result is an electronic-surveillance regime that may be well 
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out of sync with the times. This has serious implications for security, liberty, tech- 
nology, and innovation. In this paper, we examine electronic-surveillance laws in 
light of current threats and new technologies. We begin by examining the climate 
in which wiretap laws came to be enacted. 

2 The Political Climate at the Time of the Wiretap Act 

The sixties were a time of turmoil in the United States, a time of political 
protest, and civil unrest. In 1963, President John Kennedy was assassinated in 
a motorcade in Dallas, Texas. In 1965 Malcolm X was killed as he delivered 
a speech in an auditorium in Harlem. In April 1968, Martin Luther King was 
killed, and two months later, Robert Kennedy, who was running for President, 
was shot moments after he learned he had won the California primary. There had 
been civil rights marches in Washington in the early 1960s, and anti-Vietnam 
protests in the latter half of the decade. In the summer of 1964, downtown 
Newark burned; in 1965, the Watts section of Los Angeles; in 1967, downtown 
Detroit. 

It was against this backdrop that the President’s Commission on Law En- 
forcement and Administration of Justice presented its report. Organized crime 
had been a problem in the United States since Prohibition, but, because FBI Di- 
rector J. Edgar Hoover ignored it, so did the Federal government. Several events 
in the late 1950s and early 1960s changed that. 

The first was the discovery, on November 15, 1957, by a New York state 
trooper, of a meeting of organized crime bosses. The trooper was doing routine 
morning rounds when he discovered far too many black limousines for the tiny 
upstate town of Apalachin. The trooper set up a roadblock; the crime bosses 
fled, and “the next day, the nation awoke to headlines like ‘Royal Clambake for 
Underworld Cooled by Police,’ and ‘Police Ponder NY Mob Meeting; All Claim 
They Were Visiting Sick Friend’ [13, pp. 168-9]. Meanwhile, while counsel to the 
Senate Select Committee on Improper Activities in the Labor or Management 
Field, Robert Kennedy had uncovered ties between the unions and organized 
crime. When he became attorney general, Kennedy made organized crime a 
priority [29]. And finally, an organized crime turncoat, Joseph Valachi, broke 
the code of silence by testifying to a Senate investigating committee in 1963. 

This confluence of events made pursuing organized crime a law-enforcement 
priority in the late 1960s. The complications of investigating organized crime 
— the reluctance of victims to testify, so-called victimless crimes (e.g., prostitu- 
tion), and the corruption of local law enforcement made electronic surveillance 
a particularly valuable tool. The Commission concluded, “A majority of the 
members of the Commission believe that legislation should be enacted granting 
carefully circumscribed authority for electronic surveillance to law enforcement 
officers. . .” [33, p. 203]. 

But, as noted in [13, p. 170],: 

Not all experts agreed with the commission’s conclusions. Attorney Gen- 
eral Clark prohibited all use of wiretaps by federal law-enforcement of- 
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fleers. He told Congress: ‘I know of no Federal conviction based upon 
any wiretapping or electronic surveillance, and there have been a lot of 
big ones. ... I also think that we make cases effectively without wire- 
tapping or electronic surveillance. I think it may well be that with the 
commitment of the same manpower to other techniques, even more con- 
victions could be secured, because in terms of manpower, wiretapping, 
and electronic surveillance is very expensive.” [8, p. 320] Clark pointed 
out that in 1967, without using wiretaps, federal strike forces had ob- 
tained indictments against organized-crime figures in nine states, and 
that “each strike force has obtained more indictments in its target city 
than all federal indictments in the nation against organized crime in as 
recent a year as 1960” [8, pp. 79-80] 

President Johnson publicly supported Clark’s opposition to wiretapping, and 
the President proposed limiting wiretapping to national-security cases [9, p. 222]. 
But political turmoil and the Crime Commission’s report led Congress in a differ- 
ent direction, and in 1968 it passed the Omnibus Crime Control and Safe Streets 
Act of 1968 (18 use §2510-2521), Title III of which legalized law-enforcement 
wiretaps in criminal investigations. Because of the very invasive nature of the 
search, wiretaps were limited to a list of twenty-six crimes specified in the act, 
including murder, kidnapping, extortion, gambling, counterfeiting, and sale of 
marijuana. The Judiciary Committee’s report explained that “each offense was 
chosen because it was intrinsically serious or because it is characteristic of the 
operations of organized crime,” [44, p. 97]. 

President Johnson was ambivalent about wiretaps. He had used them — on 
Martin Luther King during the Democratic convention in 1964 and on Vice Pres- 
ident Humphrey in 1968 — but the President described the Title III provisions 
for wiretapping as undesirable [9, p. 1842]. Nonetheless Johnson signed the bill. 
Because of the invasive nature of electronic surveillance. Congress decided that 
there should be stringent oversight, and that review of a federal wiretap warrant 
application must be done by a federal district court judge. 

The judge must determine that (i) there is probable cause to believe that an 
individual is committing, has committed, or is about to commit an indictable 
offense; (ii) there is probable cause to believe that communications about the 
offense will be obtained through the interception; (iii) normal investigative pro- 
cedures have been tried and either have failed, appear unlikely to succeed, or 
are too dangerous; and (iv) there is probable cause to believe that the facilities 
subject to surveillance are being used or will be used in the commission of the 
crime (§2518 (3)(a-d)). 

Title III covers procedures for obtaining wiretaps for law-enforcement inves- 
tigation. In 1972, in a court case involving “domestic national-security issues,” 
the Supreme Court ordered an end to warrantless wiretapping, even for national- 
security purposes. Because of Watergate, and the discovery of numerous so-called 
national-security wiretaps that were actually wiretaps for political purposes [42], 
it took until 1978 before Congress was actually able to frame and pass legisla- 
tion authorizing procedures for obtaining wiretaps for national-security investi- 
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gations: the Foreign Intelligence Surveillance Act. The judge, a member of the 
Foreign Intelligence Surveillance Court, a court of eleven judges appointed from 
seven of the United States judicial circuits (§1803 (a)), must determine (i) that 
there is probable cause that the target is a foreign or target of a foreign power, 
(ii) that there is probable cause that the targeted communications device is be- 
ing used by the foreign power or its agent, that (iii) that a primary purpose of 
the surveillance is to obtain foreign intelligence information, and that (iv) such 
information cannot reasonably by obtained by other investigative techniques. ^ 

Title III and FISA form the basis for U.S. wiretap law. There are also state 
statutes (approximately half of all criminal wiretaps in the United States are 
done under state wiretap warrants). The rules governing state wiretaps must be 
at least as restrictive as those governing Title III. 

There have been several updates and modifications to the federal wiretap 
statutes, which will be discussed after examining the changes in communications 
technology over the last four decades. 



3 Current Threats 

In the U.S. we are currently seeing a strident debate on surveillance technologies, 
most especially datamining. This paper is not the place for a full discussion of the 
methods and means used in terrorist investigations. In the context of reexamin- 
ing electronic-surveillance laws, however, it is useful to make some observations 
about terrorism and terrorist investigations. 

By any measure, terrorism is a very difficult offense to investigate or prevent. 
In many cases, the first crime committed is the only crime. There is no trail. 
The investigative reporter, Seymour Hersh, described CIA efforts in southern 
Lebanon during the 1980s, 

. . . when the C.I.A. started to go after the Islamic Jihad, a radical Lebanese 
group linked to a series of kidnappings in the Reagan years, ‘its people 
systematically went through documents all over Beirut, even destroying 
student records.’ 

One of the hallmarks of modern terrorist groups is the shifting and diffuse 
organizational structure [39, p. 271]. On the one hand, this means that elimi- 
nating the leadership does not necessarily eliminate the problem. On the other, 
diffuse and ever-changing structures create weaknesses within the organization. 
One that can be exploited is the terrorists’ need for communication. 

In this situation, traffic analysis often proves more useful than wiretapping. 
Wiretaps can be confused by encryption, even encryption of a very simple sort. 
Seymour Hersh reported that. 



^ The law provides that “[N]o United States person may be considered a foreign power 
or an agent of a foreign power solely upon the basis of activities protected by the 
first amendment to the Constitution of the United States” (§f805(a)(3)(A)). 
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The terrorists coped with the American ability to intercept conversations 
worldwide by constantly changing codes — often doing little more than 
changing the meanings of commonly used phrases. 

The problem is being unable to decode the language is not new. It can even 
occur without deliberate intent by the criminal or terrorist group. The National 
Research Council report. Cryptography’s Role in Securing the Information So- 
ciety described an FBI wiretap of police officers who were allegedly guarding a 
drug shipment. The FBI agents overhead a conversation in which the officers 
discussed murdering an individual who had filed a police brutality complaint. 
The bureau was unable to decode a participant’s “street slang,” and was thus 
unable to prevent the murder [10, p. 88]. 

The inability to understand snrveilled conversations does not mean that the 
surveillance is useless. In particular, traffic analysis has become an extremely 
valuable aspect of surveillance, and one cannot confuse traffic-analysis efforts in 
quite the same way as one confuses content analysis. One example of the value 
of traffic analysis is that Osama Bin Laden stopped using a cell phone in late 
2001 because of the tracking capabilities of U.S. intelligence. 

Even “anonymous” cellphones can be used for tracking. In a case in 2002, 
investigators tracked al Qaeda members through terrorists use of prepaid Swiss- 
com phonecards. These had been purchased in bulk — anonymously. But when 
investigators discovered through a wiretap on an intercepted call that “lasted 
less than a minute and involved not a single word of conversation” that they 
were on to an al Qaeda group, the agents tracked the users of the bulk purchase 
[45]. The result was the arrest of a number of operatives and the break-up of 
al Qaeda cells. You can run, but you can’t hide. Anonymity is not all that it is 
cracked up to be. 

One important aspect of terrorist investigations is to “follow the money.” 
Many terrorist groups hide behind legitimate charitable groups, but these are 
groups with money trails [39, p. 274]. (We should note, however, that “following 
the money” is not a straightforward issue in terms of civil liberties. The Patriot 
Act section dealing with money laundering and terrorist financing is controversial 
admidst claims that its provisions have been applied to charitable groups with 
no ties to terrorist activities.) Money trails can be complicated to follow, and 
the terrorists do a good job of hiding trails by passing money through many 
intermediaries, but the fact is that there is a trail. Once there is trail, it can be 
investigated. 

The current terrorist threat is very different from earlier terrorist movements. 
A different from earlier terrorism threats, such as the Russian nihilists of the 
nineteenth century or the Palestinian terrorists of the 1970s, is the huge reser- 
voir of potential recruits. Globalization complicates the problem. (Indeed, one 
legitimately argue that globalization is a large part of the problem — but that 
is a topic for a different paper.) In the late 1990s, Senators Hart and Rudman 
chaired a national security commission study to examine emerging threats. In 
a prescient observation, the Hart- Rudman report in early 2001 warned of the 
likelihood of catastropic domestic attacks caused by international terrorism. The 
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report observed, “All borders will become more porous.” [41, p. 2] This has al- 
ready happened in Europe. While the borders have become porous, apparently 
cooperation between different nations’ law enforcement has not yet followed suit. 

Terrorism is not a passing phenomenon. It will be with us for a long time. It 
is important that we respond to the threat in a way that simultaneously protects 
our security and our liberty. 

4 Changing Communications Technology 

The first hundred of years the telephone saw change: from local systems entirely 
mediated by operators to global networks entirely run by electronic switching 
systems. There was innovation: mobile phone, first deployed n 1946 [6, 215], 
faxes, and modems. There was development of infrastructure: optical fibers and 
communication satellites, as well the digitization of the backbone network. 

Yet slightly more than a generation ago, the telephone remained a fixed 
device: a black machine with a rotary dial that transmitted voice (also data; 
from the beginning, the telephone was also a data-transmission network data, 
e.g., telegraph). In the sixties innovation was the introduction of the “Princess” 
phone (in colors!: white, beige, pink, blue, or turquoise) and Touchtone ser- 
vice (buttons instead of rotary dials), while industry got Centrex, an automatic 
switching exchange for large offices, and “data-phones” (modems) [6, p. 266]. 
What occurred in the first century was growth: ten million phone users in 1900, 
one hundred million in 1960, five hundred million in 1990^. 

The innovation of the first hundred years of the telephone pales in contrast 
to the growth and changes of the last decade and a half. There were 1.4 billion 
users in 2000, 400 million of those cell phone users. There probably has been as 
much innovation in telephony in the last quarter century as there had been in 
the previous one hundred years. 

Recent telecommunications growth has been spurred by three technical de- 
velopments: mobile technology, greater bandwidth, and the Internet. AT&T has 
had car phones since 1946 [6, p. 215], but such service was rare and expensive 
until the early 1990s. Mobile technology took off with the 1983 development of 
“cell” technology. In under a decade, cell phones have become ubiquitous, as has 
the wireless Internet. Once the Web appeared, the race to install broadband was 
on. In 1999, less than 10% of U.S. households had broadband; by early 2004, 
the percentage was 45% [32]. The shift to Internet communications is the most 
fundamental of the changes. The Internet enabled email, (which is the killer app 
of the Internet) [34], Instant Messaging, and the nascent technology: VoIP (voice 
over IP). 

This is only the beginning of the communications revolution. We are moving 
from a circuit-based system based on transmitting voice to a high-speed, packet- 
switched network transmitting data. The pervasiveness of our communication 
systems will shift all that we do. These social and technological changes should 
be taken into account the discussion of electronic-surveillance laws. 

^ These numbers are international. 
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5 The 2004 Questions 

5.1 What Is the Current Legal Framework? 

Title III and FISA set the framework for U.S. electronic-surveillance laws. Since 
their passage (in 1968 and 1978 respectively), there have been three major Fed- 
eral laws that affected wiretapping: the Electronic Communications Privacy Act 
(ECPA), the Communications Assistance for Law Enforcement Act (CALEA), 
and the U.S. A. Patriot Act. 

ECPA updated Title III and FISA to apply to “electronic communications,” 
defined as communications carried by wire or radio and not involving the human 
voice. ECPA was less strict about the type of crimes for which there could be in- 
terception: any federal felony may be investigated using interception of electronic 
communications. ECPA also modified the rules for electronic communications. 
In contrast to Title III and FISA, which required naming the device and person 
to be tapped, ECPA allowed for “roving wiretaps” — wiretaps with unspecified 
locations — if there was demonstration of probable cause that the subject was 
attempting to evade surveillance by switching telephones. In recognition of the 
greater ease in obtaining signalling information, ECPA provided for traffic anal- 
ysis. Under ECPA, a subpoena is needed for all pen registers, which record all 
numbers dialed from a phone, and all trap-and-trace devices, which record all 
numbers dialed to a phone. Furthermore, under ECPA, law enforcement only 
needs a search warrant, rather than the more stringent wiretap warrant, to ac- 
cess stored communications (voice mail or email that has been read and then 
stored) . 

The Communications Assistance for Law Enforcement Act (CALEA) in 1994 
was very controversial. In 1992 the FBI pressed for a “Digital Telephony” bill, 
which required that all telephone-switching equipment be designed to accom- 
modate wiretapping. Civil-liberties groups and the telecommunications industry 
opposed the bill, and there were no sponsors of it. 

The FBI returned to Congress in 1994 with a modified version, the “Commu- 
nications Assistance for Law Enforcement Act,” which included a $500 million 
authorization (but not appropriation) to the telecommunications companies for 
modifications to old equipment (this caused the telecommunications companies 
to drop their opposition). The bill required that any equipment deployed after 
January 1, 1995 would have to meet law-enforcement interception standard; the 
Department of Justice would determine which would be the standards-setting or- 
ganization. This bill passed in the waning days of 1994 after certain civil-liberties 
groups dropped their opposition. 

From the start, implementation of CALEA went badly. The Department of 
Justice put the FBI, an agency not known for expertise in telecommunications, 
in charge of setting the implementation standards. In October 1995 the FBI 
announced its requirements, which would have entailed capacity to simultane- 
ously monitor thirty thousand lines [19] [20] [13, p. 197], a striking number at 
a time when the total number of annual Title III and FISA surveillances, in- 
cluding pen registers and trap-and-trace devices, was a quarter of that. (In 1995 
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the average Title III wiretap ran for 29 days [1, p. 13]. There is no public in- 
formation about the length of FISA taps.) There were strong objections to the 
methodology the FBI used to arrive at this figure and the bureau decided to 
reexamine the capacity issue. Their new methodology required capacity to run 
sixty-thousand surveillances simultaneously^ [20] [13, p. 198]. Recognizing that 
the delay in developing compliance standards made it impossible for the telecom- 
munication companies to meet the law’s deadline (October 1, 1998, four years 
after the passage of GALEA), the FCC granted an extension til June 2000 [22]. 

There was also a fight about location information for cellular calls. During 
hearings on GALEA, FBI Director Freeh had promised that the bill would not 
expand wiretapping powers[24, p. 29], and the legislative report stated that 
“call-identifying information shall not include any information that may disclose 
the physical location of the subscriber” (GALEA §103 a2B). Nonetheless the 
FBI proposed that the cellular telecommunications group adopt a standard that 
would enable law enforcement to quickly establish the location of a wireless 
user [30]. In a 2000 decision, the U.S. Gourt of Appeals upheld the location 
standard implemented as a result of GALEA ( United States Telecommumcations 
Association et al. v. FCC and U.S., 99-1442, U.S. Gourt of Appeals). 

In GALEA, Gongress defined “information services,” distinguishing it from 
“telecommunications services.” Information services were defined as “(A) meaning] 
the offering of a capability generating, acquiring, storing, transforming, process- 
ing, retrieving, utilizing, or making available information via telecommunica- 
tions; and (B) includes- (i) a service that permits a customer to retrieve stored 
information from, or file information for storage in, information storage facilities; 
(ii) electronic publishing; and (iii) electronic messaging services; but (G) does 
not include any capability for a telecommunications carrier’s internal manage- 
ment, control, or operation of its telecommunications network” (GALEA §102 
(6)). The bill explicitly states that the interception requirements do not apply 
to information services (GALEA §103 (b)(2)(A)). 

Over time, the list of crimes for which Title III is applicable grew substan- 
tially. It now lists 98 offenses, including computer fraud and abuse (18 U.S.G. 
§2516). Even though the vast majority of wiretapping investigations concentrate 
on drug trafficking and organized crime[2. Table 3], the law is not so tightly 
focused as had been at its inception. 



5.2 How Exposed Is Personal Information? 

Ghanges in technology as well as social norms means that individuals leave tracks 
wherever they go in modern society. A generation ago, individuals scrawled their 
names on a card inside the book they borrowed from a library; now book bor- 
rowing records library are entered into a central database. A generation ago, 
individuals received a hotel key; now the “key” is a plastic card that includes a 

In both cases, the proposed monitoring capacity appears as a percentage of phone 
lin es. Thus, if number of phone lines increases, reqnired monitoring capacity would 
do so proportionally. 
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strip that may or may not have the lodger’s name and credit-card information 
on it. A generation ago, an individual gave a name for a plane ticket, and then 
may have sold the ticket to a friend; now the name on government-issued IDs 
must match name on the the ticket. As Jeffrey Rosen has observed, we are the 
“naked crowd” [37]. 

One significant change over the last several decades is the major loss of 
anonymity that has resulted from credit cards becoming the payment method 
of choice. The financial dossiers created enable tracking and identification of 
individuals in a way that plunking three hundred dollars down for a used car 
does not. Because credit cards have essentially become required for travel (at 
least for car rental and hotel reservations), credit-card records provide excellent 
after-the-fact records of where individuals have been, when (and, in some cases, 
with whom). Evidence of this is in the tracking of the September 11th hijackers. 
By September 14, 2001, law enforcement had put together a impressive dossier 
on the hijackers: where and how they had purchased their tickets, where they 
were living before the attacks, and where they had gone to and flight school (not 
all of them had) [23]. It was in the ubiquitous trail that individuals leave as part 
of modern life. 

We leave video tracks not just at the airport and the ATM, but at totally 
unexpected stops. Timothy McVeigh had no intention of leaving a trail when he 
rented a truck in Junction City Kansas but, as noted in [13, p. 267], he had. 

Investigators . . . used photos from several days before the explosion to 
prove that Timothy McVeigh was the “Robert D. Kling” who, on the 
afternoon of April 17, 1995, in Junction City, Kansas, rented the Ryder 
truck used in the bombing. Days and weeks after the bombing inves- 
tigators meticulously reconstructed McVeigh’s movements on April 17. 
Surveillance photos taken at a McDonalds about a mile from the Ry- 
der agency showed McVeigh at the restaurant at 3:49 and 3:57 PM on 
that day. Shortly afterward, “Kling” rented the truck. When prosecutors 
claimed that the McDonalds’s photo was of McVeigh, his lawyer did not 
dispute the point. The photo was taken several days before there was 
any hint it would be useful in a criminal case — and then the evidence 
was available when needed[5]. 

Imminent changes in technology will create even more detailed trails. Sensors, 
low-cost wireless devices, will monitor the environment and report back: “The 
elderly patient has a blood pressure of 110/70,” “The room is at 75 degrees.” 
RFID (Radio Frequency ID) devices will report about items an individual carries 
on his person: clothes, currency, a book. The sensor and RFID communications 
will often occur without the individual’s knowledge^. 

It is not clear how an expiring milk carton informing the supermarket that 
it is time for a new dairy order will benefit tracking of terrorists and criminals. 
But one wouldn’t necessarily have anticipated that an intercepted phone call in 
which no words were spoken and that was paid for via an anonymously-purchased 
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prepaid card would have led to a major breakthrough in a terrorist investigation 
either. The fact that data storage is dropping in price encourages the storage of 
transactional information, information that will be accessible to investigators. 

It is not currently the case that an individual’s data is arbitrarily subject to 
law enforcement perusal. The question of under what circumstances government 
can do data mining is currently a subject of much debate and some studies (e.g., 
[40]). In thinking about federal wiretap statutes, it is important to put the issue 
in context, and in particular to be cognizant that there is much more data easily 
accessible on individuals than there was at the time of the passage of the Wiretap 
Act. Under appropriate circumstances, that data is available to law-enforcement 
and national-security ofiicials. 



5.3 What Is the Effect of Communications Surveillance on Liberty? 

We have briefly examined the changes in communications technology and in the 
accessibility of individual’s private data at the dawn of the twenty-first century. 
We need to begin at the beginning, the time of the founding of the United States. 
As Whitfield Diffie has remarked, 

[P]rior to the electronic era conversing in complete privacy required nei- 
ther special equipment nor advanced planning. Walking a short distance 
away from other people and looking around to be sure that no one 
was hiding nearby was sufficient. Before tape recorders, parabolic mi- 
crophones, and laser interferometers, it was not possible to intercept a 
conversation held out of sight and earshot of other people. No matter 
how much George III might have wanted to learn the contents of Han- 
cock’s private conversations with Adams, he had no hope of doing so 
unless he could induce one or the other to defect to the Crown[13, p. 2]. 

In the United States, the founders reacted to the broad searches by British 
solders under general writs of assistance by restricting government power through 
the Fourth Amendment of the U.S. Constitution, 

The right of the people to be secure in their persons, houses, papers and 
effects against unreasonable searches and seizures shall not be violated, 
and no Warrants shall issue but upon probable cause, supported by Oath 
or affirmation, and particularly describing the place to be searched, and 
the persons or things to be seized. 

“No warrants shall issue but upon probable cause ...and particularly de- 
scribing the place to be searched, and the persons or things to be seized.” This 
would be significant when it came time to apply the Fourth Amendment to com- 
munications surveillance. Justice Louis Brandeis wrote in his famous dissent in 
the Olmstead case. 

The evil incident to invasion of the privacy of the telephone is far greater 
than that involved in tampering with the mails. Whenever a telephone 
line is tapped, the privacy of the persons at both ends of the line is 
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invaded, and all conversations between them upon any subject, and al- 
though proper, confidential, and privileged, may be overheard. Moreover, 
the tapping of one man’s telephone line involves the tapping of the tele- 
phone of every other person whom he may call, or who may call him. As 
a means of espionage, writs of assistance and general warrants are but 
puny instruments of tyranny and oppression when compared with wire 
tapping [4, pp. 475-6]. 

Experiences with government surveillance, extensively described elsewhere 
(see e.g., [13, pp. 137-150, 172-179, 271-2], [42], demonstrated serious dangers to 
political discourse and public expression. During the period from the 1940s to the 
1970s, for example. Supreme Court justices. White House staffers, members of 
the National Security Council, Congressional staffers, civil-rights leaders, includ- 
ing Martin Luther King and Ralph Abernathy Jr, anti-Vietnam War protesters, 
and journalists were wiretapped. These breaches made Congress wary of provid- 
ing law-enforcement and national-security investigators with such a potentially 
invasive tool. This is why the requirements for a wiretap warrant are significantly 
more stringent than those for a “normal” search warrant 

Wiretaps intrude on a conversation between two people and thus require the 
high level of wiretap search warrant before tapping can commence. But there 
is no similar level of protection for transactional information on what number 
is being called and what number is calling. The legal rationale is that such 
transactional information is already being shared with a third party (in this 
case, the telephone switch) and the communicating parties do not have any 
expectation of privacy on the data. Thus a subpoena, which can be obtained 
from a magistrate, suffices for pen registers and trap-and-trace devices®. 

® It is also why pubhc reporting of Title 111 wiretaps is required; each year, the Admin- 
istrative Office of the U.S. Conrts prodnces a report listing each Title 111 wiretap of 
the previons year (ongoing taps are not reported until they have ceased to be used), 
including the D.A., the judge issuing the wiretap search warrant, the length of or- 
der, the “most” serious crime for which the wiretap was ordered (there may be more 
than one for a single wiretap), the number of incriminating and non-incriminating 
calls picked up on the wiretap, the cost of the surveillance, etc. (Except for annually 
reporting to Congress the number of surveillances, there are no public disclosure 
requirements for FISA wiretaps.) 

® This paper concentrates on the technology side of the electronic-surveillance issues, 
not the policy. Nonetheless, we would be remiss if we did not point out that traffic 
analysis, though usually less intrusive than content surveillance, may nonetheless 
cause severe privacy breaches. One such example occurred in the 1980s FBI investi- 
gation of CISPES, the Committee in Solidarity with the People of El Salvador, an 
American group which supported the opposition to the El Salvadorian government. 
On the basis of an informer’s information, the FBI started an investigation of CIS- 
PES, eventually culminating in hies on more than twenty-three hundred individuals. 
Much of the information was obtained through phone records. The investigation was 
not justihed; the group was not a terrorist organization, and in 1988, FBI Direc- 
tor WiUiam Sessions told Congress that, “[T]here was no reason ... to expand the 
investigation so widely” [38, p. 122]. 
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In this paper we are focusing our discussion on technology implications of 
wiretapping rather than policy issues. Nonetheless, as we consider the role of 
surveillance in current communications technology, we must never lose sight of 
Brandeis’s words, “As a means of espionage, writs of assistance and general 
warrants are but puny instruments of tyranny and oppression when compared 
with wire tapping [4, pp. 476].” 

6 Telephony and the Internet: 

Two Different Architectures 

The Public Switched Telephone Network (PSTN) was built to maximize the 
quality of voice transmissions and everything in the network was designed to 
that end. The Internet was designed for reliability, a very different quality. The 
PSTN uses circuit switching to transmit information from sender to receiver, 
the Internet, packet switching. The PSTN and the Internet have fundamentally 
different architectures. This simple fact means that many of the surveillance 
tasks do not directly translate from one domain to the other. 



6.1 Electronic Surveillance on the Internet 

Consider, for example, the effect of packet-based technology on the transmittal 
of transactional information. In telephony, signaling information appears at the 
beginning of the call and is separated from call contents. In packet-switched 
systems such as the Internet, because data is broken into “packets,” each one of 
which has the addressing information, contents do not have the same physical 
separation from the “signalling” information (probably more properly called 
transactional information in this case). 

Furthermore, electronic communications typically present more personally- 
identifiable information present in the so-called transactional information. At a 
minimum, this may simply include place of business, e.g., susan.landau@sun.com. 
But it may include much more, e.g., if the transactional information is the result 
of a google search, the URL will reveal the search terms 

^ That “pen registers” and “trap-and-trace devices” garner additional information 
when nsed in packet-switching network systems than they do in traditional circuit- 
switched telephony systems did not escape the notice of technologists and civil- 
liberties groups. When the news of Carnivore, the FBI’s Internet monitoring system 
became public in the summer of 2000, one of the criticisms of the system was that 
the transactional information that Carnivore was sweeping up was more than the 
government was entitled to under the limited snbpoena power used for pen regis- 
ters and trap-and-trace devices. Carnivore was qnite controversial. In the summer 
of 2001, it looked as if there might Congressional action limiting Carnivore’s use. 
Instead September 11th happened. The Patriot Act gave law enforcement explicit 
power to use subpoenas for pen registers and trap-and-trace devices on electronic 
communications (§216). 
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An even more crucial different between the PSTN and the Internet is that in 
the Internet, the intelligence is at the endpoints. The underlying network system 
is simple, while the endpoints can deploy complex systems. This fundamental 
architectural idea is what makes the Internet so versatile. Applications can be 
designed far beyond what the original designers of the Internet had in mind. And 
indeed, innovation has flourished because the endpoints competed and created 
new services. No one needs to depend on the infrastructure company to do the 
innovation for them. 

The design flexibility comes at a price that we do not often think of as a price: 
the Internet is hard to control. This does not mean political or border controls 
(though those are also often difficult to implement on the Internet) but design 
control. This is not a bug; it is an extremely attractive feature. In a sharp, and 
deliberate, distinction from the telephony network, the Internet was designed 
to be loosely controlled. The layered approach to network design provides that 
effect and is what has enabled much of Internet innovation. 

For those that choose to invest the effort, Internet communications can be 
fully protected. The Internet design of intelligence at the endpoints complicates 
wiretapping, which is useless if end systems adequately protect their commu- 
nications (although a wiretapped encrypted conversation will still provide traf- 
fic information). In recent years, protecting the privacy of communications has 
become an important security goal. Indeed, the U.S. government has moved 
in the direction of simplifying the deployment of communications security in 
commercial equipment, partially as a result of the government’s move to pur- 
chasing COTS (commercial off the shelf) equipment rather than the purchase of 
custom-designed systems. Instead of restricting the use of cryptography, the U.S. 
government has recently encouraged a number of security efforts, including the 
development of the 128-bit Advanced Encryption Standard and the deployment 
of Elliptic Curve Cryptosystems. Attempts to build wiretapping capabilities into 
Internet protocols would seem to go against these efforts. 

At the same time, as an lETE Network Working Group studying the issue of 
architecting wiretap requirements into Internet protocols observed, “the use of 
existing network features, if deployed intelligently, provide extensive opportuni- 
ties for wireteapping” [35]. 



6.2 The Risks Wiretapping Poses to Internet Security 

Under CALEA, telecommunications systems deployed after January 1, 1995 
must be built wiretap accessible. Suppose one were to call for that same require- 
ment on the Internet. Does such an obligation make sense? Can it be architected 
in? What does it do to security requirements? 

Wiretapping is an architected security breach. Saying that Internet commu- 
nication protocols necessarily must have wiretapping requirements built in is to 
say that security loopholes must be built into communication protocols. It means 
that privacy of the communication must be deliberately violated and in a way 
that does not alert the sender or recipient. 
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Of course, U.S. law-enforcement and national-security agents are not the only 
ones interested in wiretapping the Internet; foreign governments are as well. Any 
technology that is designed to simplify Internet wiretapping by U.S. intelligence 
may well be exploited by foreign-intelligence services. During the discussions on 
GALEA, there were concerns about the security problems created by “building 
in” wiretapping capablities for digital telephony [15]. Such fears pale when mea- 
sured against designing such capabilities for the Internet. Internet wiretapping 
technology, found and reverse engineered by foreign-intelligence services, could 
enable massive surveillance of U.S. “persons” (citizens and corporations). Used 
in combination with inexpensive automated search technology, this could lead 
to serious security breaches. 

There is risk to the U.S. economy (the potential loss of corporate informa- 
tion). There is risk to U.S. national security (through the provision of cost- 
effective massive intelligence gathering). There is risk to the freedom of U.S. 
citizens. These are the risks [7] that the European governments responded to 
when, in 1999, they decided to liberalize their cryptographic export-control pol- 
icy. As did the United States when it liberalized its cryptographic export-control 
policies shortly afterwards [14]. 

If we were to build access for U.S. law enforcement or national security into 
Internet communications, such protocol design would have be done very carefully. 
Can it be? It is highly doubtful. As the IETF Network Working Group observed, 
any protocol designed with wiretapping capabilities built in is inherently less 
secure than it would be without the wiretapping capability. Building wiretapping 
requirements into network protocols makes the protocols more complex. As is 
well known, complex protocols are prone to security flaws. The secure Internet is 
a challenge. Despite best efforts, security breaches slip into many protocols. No 
one wants to see deliberately-architected security breaches. In 2000 the IETF 
Network Working Gronp decided not to consider reqnirements for wiretapping 
as part of the IETF standards process [35]. 

7 What Is the Right Tradeoff 

for Communications Surveillance? 

What are the costs to communications technology of continning to enable wire- 
taps? A recent FBI petition to the FCC gives an illustration. The bnrean argned 
that “CALEA’s purpose is to help lawful electronic snrveillance keep pace with 
changes in telecommunications technology as telecommnnications services mi- 
grate to new technologies” [21, pp. 3-4] and stated that thns “GALEA is appli- 
cable not only to entities and services that employ circnit-mode technology, bnt 
also to entities and services that employ packet-mode technology” [21, p. 6]. The 
Bureau urged the FGG to declare that any service providing voice commnnica- 
tions, including Voice over IP (VoIP), should be viewed as a “telecommunications 
carrier.” 

The breadth of this claim is startling. Were the FGG to grant the peti- 
tion (unknown at the time of this writing), this would put the FBI squarely in 
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the middle of designing IETF protocols. What would the technological cost of 
granting this petition be? One can scarcely imagine. At a minimum, granting the 
petition would “drive up costs, impair and delay innovation, threaten privacy, 
and force development of the latest Internet innovations offshore” according to 
a response filed by a coalition of industry and civil-liberties groups [26]. As we 
have observed earlier, it would also threaten security. 

Does the value of wiretapping justify trying to preserve the tool? This, of 
course, depends on whom yon ask. As the FBI was pressing the Digital Telephony 
bill in the early 1990s, the bureau argued that wiretapping was a critical tool in 
the fight against organized crime. The FBI presented claims that court-ordered 
wiretaps resulted in over seven thousand convictions, three hundred million dol- 
lars in fines levied, and over three-quarters of a billion dollars in recoveries, 
restitutions, and court-ordered forfeitures over a six- year period [18]. But White 
House staffers [3], the Treasury Department [28], and the Vice-President’s office 
[31] all disputed the FBI numbers. 

There is no question that wiretapping can be effective in some cases. Its most 
important value may be as a deterrent: knowing that law enforcement is listen- 
ing in, criminals and terrorists stay off the line. Or they speak in code: “The 
big guy is coming. He will be here soon.” [45] Making the use of electronic com- 
munications difficult for criminals and terrorists denies them one of the greatest 
technological advances of the last century. 

As we have seen, greater surveillance value may come from traffic analy- 
sis, which has already shown remarkable benefits in the fight against terrorism. 
Given the U.S. government’s shift on cryptographic export controls, one might 
reasonably argue that intelligence agencies have come to the same conclusion. 

The debate about electronic surveillance must not occur in isolation. U.S. 
wiretapping laws were passed when the opportunity to easily obtain massive, 
automatically-created, data trails did not exist. Video cameras in McDonalds, 
at ATM machines, E-Z pass automatically recording the trip through the toll 
booths, sensors and RFID tags are all aspects of this changing technology. One 
has just to look at disappearance of pay phones® to realize how much the way we 
communicate, both in frequency and in mode, has substantially changed from 
only a generation ago. 

If Congress were not to preserve law-enforcement’s capability to wiretap, 
what investigative tools might be offered in trade? A clear one is easy access to 
communications transactional information. One of the non-controversial aspects 
of the Patriot Act is that it simplified the procedure for obtaining pen register 
and trap-and-trace orders, no longer requiring an application in each jurisdiction, 
but letting a single application suffice. Traffic analysis has become significantly 
easier to obtain and it may be appropriate to trade further capabilities in this 
direction. For example, the decreasing costs of storage have made record saving 
much less onerous. Might it be appropriate to require service providers to keep 
records of communications (which numbers, when, for how long) for a specified 

® The new wing at Bradley Airport in Hartford, Connecticut, which has twelve gates, 
has exactly two pay phones. 
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period in exchange for deciding that communications systems will not be required 
to be built wiretap accessible? 

The threat of terrorism will confront our society for a long time. But we 
should not necessarily be extending a 1960s wiretap law into the twenty-first 
century. Instead we should be examining first principles to determine what 
surveillance laws are appropriate for current challenges. Wiretapping became 
a law-enforcement tool in the late 1920s; its use was codified in the 1960s and 
1970s. If attempting to preserve the tool in order to enable investigators to hold 
onto this capability would freeze communications in an antiquated technology, 
that may be the wrong route for our society to take. It may be that few security 
benefits accrue from the requirement that electronic communications be designed 
“wiretap accessible” while efforts to do so significantly impede innovation. It is 
time to fully examine electronic surveillance: it value, needs, and costs. Such a 
discussion is a necessity in our complicated times. It is crucial as we attempt to 
solve the current threats to security and liberty. 
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Abstract. In this paper we propose a new key recovery attack on ir- 
regular clocked keystream generators where the stream is filtered by a 
nonlinear Boolean function. We show that the attack is much more ef- 
ficient than expected from previous analytic methods, and we believe it 
improves all previous attacks on the cipher model. 

Keywords: Correlation attack, Stream cipher, Boolean functions. Irreg- 
ular clocked shift registers. 



1 Introduction 

In this paper we present a new key recovery correlation attack on ciphers based 
on an irregular clocked linear feedback shift register (LFSR) filtered by a Boolean 
function. The cipher model we attack is composed of two components, the clock 
control generator and the data generator and is shown in Fig. 1. 

— The data generator sub system consists of LFSRu of length 1^ and the non- 
linear multivariate function /. The internal state of LFSRu is filtered by a 
Boolean function /. The output from / is the high linear complexity bit 
stream v. 

— The clock control sub system consists of LFSRs of length Is where the output 
from LFSRs is sent through the clock function D{). The output from D{) is 
the clock control sequence of integers, c, which is used to clock LFSRu. 

The effect of the irregular clocking is that v is irregularly decimated and the 
positions of the bits in the stream are altered. The result from this decimation 
is the keystream z. The secret key in this cipher is the (lu+ls) initialization bits 
for LFSRu and LFSRs (Iu,Is)- 

To attack this encryption scheme we need to know the positions the keystream 
bits z had in the stream v before v was irregularly decimated. The previous 
effective algorithms are not specially designed to attack irregular clocked and 
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Fig. 1. The general cipher model we attack in this article 



filtered generators. But there exist effective attacks on the data generator sub 
system[6, 1, 10,3,4]. To deal with the irregular clocking, one of two techniques 
are often used: 

1. Do the attack on the data generator times [7]. The attack is done 
one time for each guess for the 2^'“ possible initialization states for LFSRs. If 
the attack on the sub system has complexity 0{K) the full attack will have 
complexity 0{K ■ 2’’“). 

2. Ignore the clock control generator [3, 14, 4]. If the attack on the data 
generator subsystem needs M keystream bits, we can use the fact [14] that 
we know the original v position of every 2^‘ — 1 bit in the keystream z. Thus 
we can only use every — 1 keystream bit in the attack, which means that 
we need — 1) ■ M keystream bits to succeed. 

None of these techniques are optimal. The first one leads to large runtime com- 
plexity, the second leads to the need for a large number of keystream bits. 

Our attack is not designed to attack the data generator subsystem only, but 
is especially aimed at irregular clocked and filtered keystream generators as one 
system. First we guess the initialization state Is for LFSRs . From this we can 
reconstruct the positions the bits in z had in v. Using the iteration algorithm 
from [11] this reconstruction is done using just a couple of operations per guess, 
exploiting the cyclic redundancies in LFSRs . This method is fully explained in 
Section 4.3. This method gives the guess v* = (.., *, Zi , ..., Zj, ..., Zk, ■■■, *, ...), 
where Zi, zj, Zk are some keystream bits and the stars are the deleted bits. Then 
we test V* to see if it is likely that the stream is generated by the data generator 
subsystem LFSRu and /. Hence, we only use a distinguisher test on the the v* 
stream to decide if the guess for Ig is correct. This is easier than to actually 
decode the v* stream to find lu, and then decide if we have found the correct 
Ig. When Ig is determined, we can use one of the previous attacks on the data 
generator sub system to determine lu. 

The distinguisher test is to evaluate a large number m of low weight parity 
check equations on the bit stream v*. All equations are derived from one mul- 
tiple h{x) of weight 4 of the generator polynomial gu{x). Surprisingly this test 
works much better than expected from previous evaluation methods. In previ- 
ous correlation attacks, the Piling up lemma[9] is often used to calculate the 
correlation[l, 7, 6] which the algorithm must decode. Since our algorithm only 
uses a distinguisher on v* we can use a correlation property of the function / 
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which gives much higher correlation between v* and the keystream z. Thus we 
need fewer parity check equations. This correlation property exists even if the 
function is correlation immune in the normal sense. 

Our attack has complexity 0(2*= • m), independently of the length of LFSRu. 
A cipher based on the model we attack in this paper is LILI-128. To attack the 
LILI-128 cipher our algorithm needs about 2^^ parity check equations. In LILI- 
128, Is = 39, thus the runtime for our attack is 2^®+^^ « 2®^ parity checks, with 
virtually no precomputation. We have implemented and tested the attack, and 
it works on computers having under 300 MB of RAM, and needs only around 
68 Mbyte of keystream data. The precomputation has low runtime complexity 
and is negligible. When Is is found, we can use one of the previous algorithms 
to attack the data generator sub system. 

A comparable previous correlation attack by Johansson and Jonsson is pre- 
sented in [7]. The runtime for the attack is 2"^^ parity checks and the precom- 
putations is 2^® table lookups. The keystream length is approximately 2®®. This 
attack uses the first technique to handle the irregular clocking. 

Recently new algebraic attacks have been proposed by Courtois and Meier [3, 
4]. This attack uses the second technique to handle the irregular clocking in 
LILI-128. Although the attack has an impressive runtime complexity 2^^ ■ C (an 
optimistic estimation for some unknown constant C), the attack needs about 2®® 
keystream bits to succeed, which is unpractical. 

There is also a time-memory trade-off attack against LILI-128 by Markku- 
Juhani Olavi Saarinen[14]. This attack needs approximately 2®^-^ bits of com- 
puter memory and 2^® keystream bits. The runtime complexity is claimed to be 
2"^® DES operations, which is not easy to compare with our runtime complexity. 
But the high use of computer memory and keystream bits also makes this attack 
unpractical. 

2 A Correlation Property of Nonlinear Functions 

Let V = F 2 and let / be a balanced Boolean function from V to F2. We start 
by analyzing the boolean function /(x) for a correlation property that we will 
use in the attack. A similar property is analyzed in [18] where they look at the 
nonhomomorphicity of functions. In this paper we identify the probability 

P = -P(/(xi) + /(X 2 ) -k /(Xg) -k /(X 4 ) = 0 I Xi -k X 2 -k X 3 -k X 4 = 0) (1) 

which is crucial for our attacks success rate. 



2.1 The Correlation Property 

Let (7 = 2” and let a • b = denote the inner product of a = (oi , 02, . . . , 

a„) and b = (5i, 62 , . . . , hn)- Define the Walsh coefficients of / by 

/(a)= 

xey 
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Lemma 1. Let f be a function from V = F 2 to F 2 and let Xi G for i = 
1,2, 3, 4. Let g = 2” and let N denote the number of solutions of 

Xi + X 2 + X 3 + X 4 = 0 (2) 

/(xi) + /(X 2 ) + /(X 3 ) + /(X 4 ) = 0. (3) 



Then 



^ aey 



(4) 



Proof. Each term in the sum below gives a contribution 2q for each solution of 
the system of equations, and zero otherwise. Therefore, we have 



2qN = E (E( _X)a-(xi+X2+X3+X4)^|'y^|'_J^^y(/(xi) + /(x2) + /(x3) + /(x4))^ 

Xi,X2,X3,X4G V y—0 

1 

= EE E (_X)l'/(xi)H l-i//(x4)+a-XiH ha-X4 

a&V i/=0 xi,X2,X3,X4ey 
a^V y—0 xGV^ 






T. /(■>)“• 



aey 



where the first term comes from the case y = 0 and a = 0, and the last term 
from the case y = 1. 



Corollary 1. Lf f{-x) is a balanced function then the number of solutions N of 
the system of equations above is, 



t + ^ 

2 2{q-l) 



Proof. Since /(x) is balanced we obtain /(O) = follows 

from Parseval’s identity that the average value of /(a)^ is Hence, it follows 

from the Cauchy-Schwartz inequality that X^aev > (9 ~ 1) 1 which 

substituted in the lemma above gives the result. 



Corollary 2. 

above is, 



The expected number of solutions N of the system of equations 



E{N) 



r 

2 



3g^ — 2q 
2 



Proof. An average estimate of N can be found as follows. When there exist two 
equal vectors = Xi^ in Equation (2), the two other vectors xt,^,Xi,^ will also 
be equal. When this occurs it follows that the Equation (3) will sum to zero. 
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This gives the unbalance that causes the high correlation. Equation (2) implies 
X4 = xi + X2 + X3 Then there are q{q — 1)((7 — 2) triples in xi, X2, X3 where all 
the Xi’s are distinct and there are therefore — 2 q triples with one or two pairs 
Xi^ = Xij. Using this fact and substituting Equation (2) into Equation (3), we 
can write 

1 

(_1)!/(/(’^i) + /(x2) + /(x 3 ) + /(xi+X 2+X3)) 

xi,X2,X3Gy y=0 

= g3 _|_ ^_2^y(xi) + /(x2) + /(x3) + /(xi+X2+X3) 

Xi,X 2,X3GV 

= q^ + (3g2 - 2 q) + E (_1)/(’^i) + /(’^2) + /(’<^ 3 ) + /(xi+X 2+X3)^ 

xi,X 2 ,X 3 distinct G V 

Since for an arbitrary function / we can expect that /(xi), /(X2), /(X3), and 
/(xi +X2 +X3) take on all binary quadruples approximately equally often when 
xi yf X2 ^ X3 yf xi, we expect in the average the last term to be 0. This implies 
the result. 



27V = ^ 



Corollary 3. Let f be an arbitrary balanced function, and let p denote the prob- 
ability 

p = Pro&(/(xi) + /(X2) + /(X3) + /(X4) = 0 I xi + X2 + X3 + X4 = 0), 

then p is expected to be E{p) = 5 + and its minimum is Pmin > 5 + 2{q-i) ■ 

Proof. Since Equation (2) has q^ solutions, it follows from Corollary 1 that the 
expected probability is equal to E{p) = = 5 + ^^- Further from Corollary 

2 we obtain that the minimum is Pmin > (^ + 2(^-1) = 5 + 2(9-1) ■ 

Corollary 4. Given a specific balanced function f , the probability 



p = Pro&(/(xi) + /(X 2 ) + /(xs) + /(X 4 ) = 0 I xi + X 2 + X 3 + X 4 = 0), 



is p = ^ + 



‘^•ev 

294 



N 1 E 

Proof. Using the TV from Lemma 1 we get P = ^ = 2 

It is straightforward to extend Lemma 1 to compute the number of common 
solutions of the two equations 



Xi + X 2 H h x^ = 0 

/(Xi) + ./(X 2 ) H h /(x^) = 0. 

and show that the corresponding probability 

Prob(/(xi) + /(X2) H h f{y^w-i) = 0 I xi + X2 H h x^_i = 0), 
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equals p 
w = 4. 



1 

2 






2q^ 



which reduces to the result of Corollary 4 when 



In the case w = 3, we can calculate the expected value of a balanced Boolean 
function, with a given /(O), to be E{p) = 5 + This implies that 

the bias is the same for the case w = 3 as for w = A. Similar arguments for 
equations with w > 5 show that these equations give too low correlation, which 
would lead to a high runtime complexity for our attack. It turns out that for 
w = 3 the attack needs much more keystream bits to succeed, see the Sections 
4.1 and 5.2. Since the correlation bias is exactly the same for w = 3 and w = 4 
it is optimal to use w = 4. 



2.2 Analysis of Some Functions 

In Table 1 we have analyzed some functions using Corollary 4. This correlation 
is surprisingly high. Let Papp = 0.53125 be the best linear approximation to 
the LILI-128 function. Due to the design of the previous attacks[6, 7, 10] the 
channel noise has been independent of the stream u generated by LFSRu. Thus 
the Piling up lemma [9], Ppu = 5 + 2™“^(i — Papp)™, is used to evaluate the 
crossover correlation 1— Ppu which the algorithms must be able to decode. Using 
the Piling up lemma for weight w = 4 equations, the correlation ppn for LILI-128 
will be Ppii = 0.50000763. From Table 1 we have the correlation p = 0.501862. 
The reason for the higher correlation, is that our attack only uses a distinguisher 
on the data generator sub system, and not a complete decoder. Hence, in our 
key recovery attack on the clock control system, we can use Corollary 4 from 
Section 2.1 to calculate the correlation. To test the corollary we generated 2000 
random and balanced Boolean tables for n = 10, and calculated the average 
correlation. The result was that the average p was 0.501466 which is close to the 
theoretical expected E{p) = 0.5001464. 

Table 1 . The probability P(/(xi) -|- /(X2) + /(xs) -|-/(x4) =0 | xi + X2 + X3 -|- X4 = 0 ) 
calculated for some given functions. E{p) is the expected correlation for given q — 2" 
and p is the actual correlation for the given function 



Function 


Number of 
inputs bits n 


Best linear 
approximation. 


E{p) 


P 


Geffe function 


2 


0.75 


0.671875 


0.625 


LILI-128 


10 


0.53125 


0.501464 


0.501862 


LILI-II 


12 


0.51367 


0.500366 


0.500190 



3 A General Model 

Here we define a general model for irregular clocked and filtered stream ciphers, 
and some well known properties for the model. 
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3.1 General Model 

Let gn{x) and gs{x) be the feedback polynomials for the shift registers LFSRu 
of length and LFSRs of length Is- We let Ig = (sq, si, and lu = 
(uo,ui, be the initialization states for LFSRg and LFSRu- The initial- 

ization states (Ig,Iu) define the secret key for the given cipher system. 

From gs{x) we can calculate a clock control sequence c in the following way. 
Let Ct = D{Ll(ls)) G {oi, tt 2 , ..., oa} , o,j > 0, be a function where the input 
Lg(Is) is the inner state of LFSRg after t feedback shifts and A is the number of 
values that ct can take. Let pj be the probability pj = Prob(ct = aj). 

LFSRu produces the stream u = {uq, ui, ...) which is filtered by /. The output 
from fisvk = f{uk+to,Uk+tj,—,Uk+t„_^), or the equivalent Vk = f{L^{Iu))- The 
clock Ct decides how many times LFSRu is clocked before the output bit Vk is 
taken as keystream bit Zt- Thus the keystream zt is produced by Zt = ffe(t), 
where k{t) is the total sum of the clock at time t, that is k{t) ^ k{t — 1) -|- ct- 
This gives the following definition for the clocking of LFSRu- 

Definition 1. Given hit stream v and clock control sequence c, let z = Q(c, v) 
be the function that generates z of length M by 

Q(c,v) : Zt ^ Vk(t), 0<t<M 

where k{f) = ~ 

If Uj >1, 1 < J < t 1, the function Q(c, v) can be considered as a deletion 

channel with input v and output z. The deletion rate is 

= . (5) 

The D() function described above can in this model be among others the shrink- 
ing generator, the step-l/step-2 generator and the stop and go generator. Next 
we define the (not complete) reverse of Definition 1. 

Definition 2. Given the clock control sequence c and keystream z, let the func- 
tion V* = Q*(c,z) he the (not complete) reverse of Q, defined as 

Q*(c,z) : Wfcp) ^ Zt, 0 <t < M, 

where k{f) = E]=o ~ 1? 0 ,'^d Vk = * for the entries k in v* where v). is deleted. 
When this occurs we say that v(, is not defined. 

The length of v* will be N* = Given a stream z of length M, the 

expected length N of the stream v is 

M ^ 

= (TTTy = 



( 6 ) 
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Note that the only difference between this definition and Definition 1, is that v 
and z have switched sides. Thus Q*(c,z) is a reverse of Q(c, v). But since some 
bits are deleted, the reverse is not complete and we get the stream v*. 

The probability for a bit v^. being defined is Prob(w^) = 1 — Pd- This happens 
when k = k{t) holds for some t, 0 < t < M . It follows that the sum 
••■ + be defined if and only if all of the bits in the sum are defined. 

Thus the sum will be defined for given k in v* with probability 

Pdef=(l-Pdr. (7) 



4 The Attack 

4.1 Equations of Weight 4 

To succeed with our attack we need to find exactly one weight 4 equation 

Au : Ufc + Wfe+jd + '^k+j -2 + '^k+j 3 = 0 (8) 

that holds over all u generated by LFSRu for k >0. This corresponds to finding a 
multiple h(x) = a{x)gu{x) of weight 4. There exist several algorithms for finding 
such a multiple, see among others [13, 2, 5, 17, 12]. 

In this paper we use the fast search algorithm in [12, 11], which is a modified 
version of the David Wagner’s Generalized Birthday Algorithm [17]. If the stream 
u has length TV, this algorithm has runtime complexity 0{N log N) and memory 
complexity 0{N), where N is of order 2^“/3 . The algorithm is effective in practice, 
and we have succeeded in finding multiples of the generator polynomial of high 
degree, see Section 6.3 for an example. We refer to Appendix C in [11] for the 
details for this search algorithm. 

Next, we let the input vector Xfc to the Boolean function /(x) be 

Xfe = {uk+iQ,Uk+in (9) 

where (ig, ii , ..., in-i) defines the tapping positions from the internal state Tu(Iu) 
of LFSRu after k feedback shifts. Substituting the vector (9) into the Equation 
(8) we have that x^ + x^+^d + ^k+j 2 + ^k+js = 0 always holds for k > 0. Since 
Vk = fi^k) we have from Corollary 4 that the equation 

Av . '^k ^k-\-j2 ^k+j^ ~ 9, (79) 

will hold for A: > 9 with probability p = \ -\ . 

Remark 1. In [8] the multiple of gn{x) of weight w = 3 is exploited to define 
an iterative decoding attack on regularly clocked LFSRs filtered by Boolean 
functions. The constrained system 

W — 1 

^ = 0 ( 11 ) 

a— 0 

^fc+ia = /(xfc+i„), 9 < a < w 
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is analyzed. This system is similar to the one we use in this paper, but it is used 
differently. Since there are limited solutions to this system, the a posteriori prob- 
abilities for each of the input hits {uk+j^+io,Uk+j^+i^, in yik+j^ 

can be calculated. Then these probabilities are put into a Gallager like prob- 
abilistic decoding algorithm(SOJA) which outputs lu. However the correlation 
property in Corollary 4 is neither identified or exploited in [8] . 



4.2 Naive Algorithm 

Let Is be a guess for the initialization state Is. Given the keystream z of length 
M, we generate Ct = D{Ll(ls)), 0 < t < M and v* = Q*(c,z) of length 
N « Then we test if v* is likely to have been generated by LFSRu 

using the following method. 

Find TO entries in v* where the equation is defined. From this we get a set of 
TO equations. We test the to equations, and let the metric for the guess be the 
number of equations that hold. When we have the correct guess for Is we expect 
pm of the equations to hold, where p is calculated using Corollary 4. Thus, this 
is a maximum likelihood decoding algorithm. 

The runtime complexity for the attack will be of order • (to -I- N), since 
we have to generate the bit stream v* of length N for each of the guesses. In 
a real attack, N will be a large number and the naive algorithm will have very 
high runtime complexity. 



4.3 Some Observations 

If we use the technique in the previous section the attack has the runtime 
2^'“ ■ (m + N). In [II, Sec. 3.3] two important observations were made that re- 
duce the complexity down to 2^= • to. Since A ^ to, these observations will speed 
up the attack considerably. We start with an initial guess 1° = (1,0,...,0) and 
let the z’th guess be the internal state of LFSRg after i feedback shifts, that is 

n = Li{i°). 

Let c* = {cq,c\, be the z’th guess for the clock control sequence 

defined by cj = 0, ..., 0)), 0 < t < M. Let v* = Q*(c*,z) be the 

corresponding guess for v* of length Ni = We can now give a iterative 

method for generating from v*. 

Lemma 2. We can transform v* into v*+^ = Q*(c*+^,z) using the following 
method: Delete the first Cq entries (*,..., *,zo) in v®, append the = c\f 

entries (*, ..., *, zm) at the end, and replace Zt with zt-i for 1 < t < M . 

Proof See Appendix B.l in [11]. 

Lemma 2 shows that we can generate each v* using just a few operations instead 
of N operations, when implemented properly (See Appendix A.l for the imple- 
mentation details). This gives a fast method for generating all possible guesses 
for V* given a keystream z. But using this lemma we still have to search for to 
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entries in v* where the equations are defined. Since on average we must search 
through 1/Pdef entries in v* per equation, we want to avoid this search. In the 
next theorem we show how this can be done. The theorem proves that we can 
reuse the equation set for v* in 

Theorem 1. If the sum 

Vk + Vk+ki + + Vk+kn,-i = Zt + ^i+ji + = ^2,1 

is defined over v*, then the sum 

'^k-c^ + + ^fc+fe„_i-c* = Zt-l + Zt+j^-l--- + = 7z,t-l 

is defined over 

Proof See Appendix B.2 in [11]. 

The main result from this theorem is that the equation set defined over v* will 
be defined over when we shift the equations Cq entries to the left over 
This means that we can just shift the equations one entry to the left over z, and 
we will have a sum that is defined for the guess Is = Z?(Ts“''^(l, 0, ..., 0). Thus, 
the theorem shows that we can avoid a lot of computations if we let the z’th 
guess for the inner state of LFSRs be Tg(l, 0, ..., 0). 

Remark 2. To use the lemma and theorem above we do not put the actual hit 
values Zt and restore them to the position k{t) in v* given by Q*(c, z). Instead 
we store the index Zt (the pointer to the position t in z) in Vk(t)- This means 
that holds the position t, which the keystream bit Zt have in z. But when 
we evaluate an equation we use the indices to put in the actual bit values. 



4.4 An Efficient Algorithm 



Assume we have found an equation Av : ffc + Vk+ji + Vk+j^ + Vk +33 ~ 0- The 
equation holds over v with probability p calculated using Corollary 4. Let the 
first guess for the initialization state for s be 1° = (1, 0, 0, ..., 0), generate c° 
by Cj = D(Ls(l, 0, ...0)), t < M, and v° = Q*(c°,z). Next we try to find m 
entries {ki, k 2 , ■■■, km) in where the equation Av is defined. From this we get 
the equation set 

+ «fci+n + 

< + + <+i2 + <+i3 



(12) 



V 



0 

km +il 



• V 



0 

km +j2 



V 



,0 

fcm+is 



0 . 



Since every in this equation set is defined in and zt = Vk{t)i we can 

replace with the corresponding bit zt^ from the keystream z. Thus, is 
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a sequence of pointers to z and we can write the equations over z as the equation 
set fl : 

1 “t“ ^ti^2 '^^1,3 ^^1,4 

^^2,1 ^^2,2 ^^2,3 ^t2,iv 

2im,l + ^im,2 + ^im,3 + 

We are now finished with the precomputation. Let metricbest be the number of 
equations in SI that hold. We iterate as follows: 

Input The keystream z of length M, the equation A, the equation set 17, the 
index sequence v°, the states L°(1,0, ...0) and L^(l, 0..., 0), and let i ^ 0. 

1. Calculate = D(Lf +*(1, 0, ..., 0)). 

2. Use Lemma 2 to generate z) and lower all indexes in the 

equation set S2 by one. Theorem 1 guarantees that the equations are defined 
over 

3. If the first equation in S2 gets a negative index, then remove the equation 
from S2. Find a new index at the end of where A is defined, and add 
the new equation over z to S2. 

4. Calculate metric as the number of equations in S2 that hold. 

5. If metrichest > metric, set metrichest <— metric and I* = Lg(10, 0, ...0). 

6. Set i ^ i + 1 and go to step I. 

7. Output Ig as the initialization state for LFSRs. 

Remark 3. The algorithm is presented this way to make it readable and to show 
the basic idea. To reach the complexity 0(2^= • m) a few technical details on 
the implementation of the algorithm are needed. These details are given in Ap- 
pendix A. 




5 Theoretical Properties 

5.1 Success Foruiula 

We can let an (unusual) encoder be defined by removing the Boolean function 
from the cipher. Then we can use coding theory to evaluate the attack. Let the 
initialization state Is for LFSRs define the information bits in such a system. 

Let y = {yo,yi, be the (not filtered) irregular clocked stream from 

LFSRu, that is y = Q(c, u) and c* = D{Ll{Is)). Then the bitstream y defines 
the codeword that is sent over a noisy channel. Let the keystream z = Q(c, v) 
(the filtered version of y) be the received codeword. 

Assume we have the wrong guess for Ig, then approximately m/2 of the equa- 
tions in the set (13) will hold. Now assume we have have guessed the correct 
Ig. According to the observation in Section 2.1 the equations in the set (13) will 
hold with probability p = ^ + independently of the initializa- 

tion bits lu. 
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Let p define the channel ’noise’. The uncertainty is defined by H(p) = 
— plogp— (1— p) log(l— p), and the channel capacity is given by C(p) = 1 — H{p). 
We can approximate C{p) with C'(p) « 2(p— i)^/ In 2. Following Shannon’s noisy 
coding theorem we can set up this bound for success. 

Proposition 1. The attack will succeed with probability > ^ if the number of 
parity check equations m is 

Is O.Ulls 

m > mo = « Yn 

C(P) (p - 5 ) 

where p « i + q = 2", where n is the number of input bits 

in /(x). 

When m is close to 2 • toq we expect the probability for success to be close to 1, 
see [15]. The simulations of our algorithm show that if we set m = 2.1 • mg the 
success rate is approximately 99%. 

5.2 Keystream Length 

If the generator polynomial gn{x) has weight w > 4, we must find a multiple 
h{x) of Pu(a^) of weight 4 and a degree l\y. We need at least the v stream to be 
of length ^ij. In addition, to find m entries in v where the equation is defined v 
must at least have length 

N > 1^, + m/Pdei- (14) 

From the expectation (6) of N we get E{M) = fV(l — Pg) = (1 — Pd)lh + mj (1 — 
Pd)^, which proves the following proposition: 

Proposition 2. Let an equation overw be defined by h{x) of weights and degree 
Iyi- To obtain an equation set Q of m equations over 2 , the length of the z stream 
must be 

M>{l-Po)lh + m/{l-Pof. (15) 

The keystream length M depends on the number of equations m, the deletion 
rate Pd and the degree Ih of h{x) . The degree Ih is then again highly dependent 
on the search algorithm we use to find h{x). When we use the search algorithm 
in [11, 17] the degree Ih of 5h(a^) will be of order Ih = which is close to 

the theoretical expected degree [5] for w = 4. 

5.3 Runtime Complexity 

The runtime complexity for our attack is 

= (16) 

(P - 2 ) 

parity check tests, where p is calculated using Corollary 4. Note that the runtime 
is independent of the length 1^ of LFSRu. 
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5.4 Memory Complexity 

If we implement the attack directly as described in Sections 4.3 and 4.4 the 
algorithm will need around 32N + 4 * 32m bits of computer memory. The reason 
for the 32N term is that v* = zq,*,*, zi, Z2, ■■■,*, Zm-i of length N is a, sequence 
of pointers of 32 bits. In appendix A. 2 we show how we can store v* using 
N memory bits without affecting the runtime complexity. The total amount of 
memory bytes needed is then 

N 

— + 16m (17) 

8 



6 Simulations of the Attack 

The LILI-128 cipher[16] is based on the general model we attack in this paper. 
To be able to compare our attack with previous attacks, we have tested the 
attack on this cipher. 



6.1 The LILI-128 Cipher 

In the LILI cipher the clock control generator is defined by 

gs{x) = + x^^ + + x^^ + + x'^'^ + + 1, 

and ct = Z?(st+i 2 , St+ 2 o) = 1 + St +12 + 2st+2o- The data generator sub system is 

gn{x) = x^^ + x^^ + + x^^ + x^^ + + a: + 1, 

and Vk = /(ufc, Mfe+i, Mfe+3, Ufc+7, Mfe+ 12 , Ufc+ 20 , Ufc+307 Wfe+ 44 , Mfe+65j Mfe+8o), de- 
fined by a Boolean table of size 1024. Further on we get Pd = 0.6, and Pdef = 
0.0256 for w = 4, and p = 0.501862. The number of keybits in the secret key 
(h,Iu) is 39-k 89 = 128. 

6.2 Simulations 

We have done the simulations on some versions of the LILI-128 cipher with 
LFSRs of different lengths to empirically verify the success formula in Section 
5.1. See Table 2 for the simulations. Note that we use the full size LFSRu from 
the LILI cipher in the three attacks in the bottom of the table. For = 11 and 
p = 0.501862 we get mo = 1.1 • 10®. 

We have implemented the attack in C code using the Intel icc compiler on a 
Pentium IV processor. Using the full 32-bit capability and all the implementation 
tricks explained in Appendix A our implementation uses only approximately 7 
cycles per parity check test. Hence the algorithm works fast in practice and will 
take 7 • 2*=m processor cycles. 

Each attack is run 100 times, and the table shows that the estimated success 
rate holds and that the algorithm is efficient. 
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Table 2. We have tested the attack on the LILI-128 Boolean function with p — 
0.501862. Note that the runtime for hnding Is is independent of the length lu of LFSRu, 
and the length M of the keystream. The attack on a full LFSRu of length 89 and re- 
duced LFSRs of length 11 took 12 seconds 



Is 


G 


Keystream length M 


Successes 
out of 100 


m 


Runtime 


2*® • m 


11 


60 


224,1 


59 


mo 


6 sec. 


231 


11 


60 


2^571 


100 


2.2 • mo 


13 sec. 


2“^ 


11 


40 




51 


mo 


6 sec. 


— 2n— 


11 


40 


2 L , U 


100 


2.2 • mo 


13 sec. 


2“^ 


10 


89 


229 


99 


2.1 • mo 


6 sec 


232 


11 


89 




99 


2.1 • mo 


12 sec 


2“ 


12 


89 


2^ 


99 


2.1 • mo 


24 sec 


2“"‘ 



6.3 A Complete Attack on LILI-128 

Preprocessing. For the LILI cipher, we have found a multiple h{x) = a{x)gu{x) 
which corresponds to the recursion Ut-|-Ut-i-i 3950 i 803 + Mt-i- 2 i 0 i 23252 + Mt-i-i2433669i6 
= 0 and we have that 

Prob(ut -I- ft -I- 139501803 + fi -1-210123252 + ft-|-1243366916 = 0) = 0.501862. (18) 

This precomputation took only 5 hours and 40 Gbyte hard disk space. We see 
that = 1243366916. 

Finding 1^. We have p = 0.501862, and mo = 39/C(0.501862) « 3.9 • 10® « 
2^^ ®. To be almost sure to succeed we use m = 2.1mo equations. Hence, the 
runtime for attacking LILI-128 is 



parity checks. Using our implementation this corresponds to 2®^ • 7 processor 
cycles. Using Proposition 2 with Pd = 0.6 we need a keystream of length M « 
2^®. The attack needs about 290 Mbyte of RAM. It can easily be parallelized 
and distributed among processors with virtually no overhead, since there is no 
need for communcation between the processor, and no need for shared memory. 
If we have 1024 Pentium IV 2.53 GHz processors, each having access to about 
290 MB of memory, the attack would take about 4.5 months using 68 Mbyte of 
keystream data. 

Finding when Ig is known. Our attack only finds the initialization bits Ig 
for LFSRs . It is possible to combine the Quick Metric from [12] with the previous 
attack against LILI in [7] to find lu when Ig is given. Since this is not the scope 
of this paper we will not go into details, and we refer to [7, 12] for the exact 
description. The preprosessing stage will have complexity of order memory 
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lookups, and runtime complexity of order parity checks. The complexity 
for the method above is much lower than the complexity for finding Ig and will 
therefore have little effect on the overall runtime for a full attack. 

7 Conclusion 

We have proposed a new key recovery correlation attack on irregular clocked 
keystream generators where the stream is filtered by a nonlinear Boolean func- 
tion. Our attack uses a correlation property of Boolean functions, that gives 
higher correlation than previous methods. Thus we need fewer equations to suc- 
ceed. The property holds even if the function is correlation immune. Using this 
property together with the iteration techniques from [11] we get a low runtime 
and low memory complexity algorithm for attacking the model. The algorithm 
outputs the initialization bits Is for LFSRg. Knowing Ig there exist previous 
algorithms which can determine lu efficiently. 
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Appendix 

A Implementation Details 

To reach the runtime complexity 0{2^‘ ■ m) and memory complexity down to 
N -\- 128m bits, the implementation of the algorithm has some tricks. Since not 
all of these tricks are obvious we give more detailed descriptions of them below. 

A.l Runtime Details 

Sliding window. In Lemma 2 we get by among other things deleting the 
Cq first bits of v*. This is done using the sliding window technique, which means 
that we move the viewing to the right instead of shifting the whole sequence to 
the left. This way the shifting can be done in just a couple of operations. To 
avoid heavy use of memory, we slide the window over an array of fixed length 
N , so that the entries that become free at the beginning of the array are reused. 
Thus, the left and right indexes of the sliding window after i iterations will be 

{left, right) = {i mod N,i-\- Ni mod N) , 

where N > Ni, for alH, 0 < z < 2*^ 
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The same sliding window technique is also used on the equation set when 
equations are deleted and added to the equation set. 

Updating the indices. In Lemma 2 every pointer zt+i in v* is replaced with zt 
for every 0 < t < M, which would take M operations. If we skip the replacements 
we note that after i iterations the entry zt in v* will become Zt+i. It is also 
important to note that when we write v = {...,ZQ...,zt, ■■■), the entries 

Zq, Zt , zm are pointers from v* to z. They are not the actual key bits. 
Thus, in the implementation we do not replace Zt with Zt-i. But when we after i 
iterations in the search for equations find an equation = 0 

that is defined, we replace the corresponding equation zt-,^ + Zt^ + ■■■ + Zt^ with 
zt-i-i + Zt^-i + ... + Zt^-i, to compensate. 

Reducing the memory access time. When we test an equation we must use 
pointers to pointers to the keystream. Then each equation test will have high 
memory access time. We can reduce this significantly by testing the equations 
on 32 states simultaneously. This is possible since the next state 1*+^ is tested 
by shifting all the equations one entry to the left over z. We can now take the 
bits ztc,, Zt^+i, ■■■, Zt ^+31 for each of the term 1 < a < 4 in the equations and 
put them into 32 bit registers. Now we can test the states and add one to the 
metrics of the states that satisfy the equation. This speeds up the runtime by a 
factor of approximately 20. 

A. 2 Memory Details 

Reducing the use of memory. Instead of storing all the pointers, we set 1 
in V® where the bits are defined and 0 otherwise. When we search in v* to find 
entries where the equation Av is defined, we keep track of where in z the four 
terms in Av points to by counting the number of I’s we pass during the search. 
This is done for each of the 4 terms in the equation Av. This way we always 
know where in z the given equation of v* points to. Using this trick the number 
of memory bits needed during an attack is reduced from 32N + 128m bits to 

N + 128m 

Implementing this trick will not affect the runtime of the attack. 
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Abstract. Recently proposed algebraic attacks [2, 6] and fast algebraic 
attacks [1,5] have provided the best analyses against some deployed 
LFSR-based ciphers. The process complexity is exponential in the de- 
gree of the equations. Fast algebraic attacks were introduced [5] as a 
way of reducing run-time complexity by reducing the degree of the sys- 
tem of equations. Previous reports on fast algebraic attacks [1,5] have 
underestimated the complexity of substituting the keystream into the 
system of equations, which in some cases dominates the attack. We also 
show how the Fast Fourier Transform (FFT) [4] can be applied to de- 
crease the complexity of the substitution step. Finally, it is shown that 
all functions of degree d satisfy a common, function-independent linear 
combination that may be used in the pre-computation step of the fast 
algebraic attack. An explicit factorization of the corresponding charac- 
teristic polynomial yields the fastest known method for performing the 
pre-computation step. 



1 Introduction 

Many popular stream ciphers are based on linear feedback shift registers (LF- 
SRs) [11]. Such ciphers include EO [3], LILI-128 [12] and Toyocrypt(see [10]). 
They consist of a memory register called the state that is updated (changed) 
every time a keystream output is produced, and an additional device, called the 
nonlinear combiner. The nonlinear combiner computes a keystream output as 
a function of the current LFSR state^. The sequence of states produced by an 
LFSR depends on the initial state of LFSR, which is always presumed to be se- 
cret. Since recovering this initial state allows prediction of unknown keystream, 
we follow the convention of [5] and call it K as if it was actually the key. Most 
practical stream ciphers initialize this state from the real key and a nonce. The 
advantages of LFSRs are many. LFSRs can be constructed very efficiently in 
hardware and some recent designs are also very efficient in software. LFSRs can 
be chosen such that the produced sequence has a high period and good statistical 
properties. 

^ Some LFSR-based stream ciphers have a non-linear filter that maintains some bits of 
memory, but research has shown that such ciphers can be analyzed in the same way 
as ciphers without memory. Some designs use multiple LFSRs, but again these are 
usually equivalent to a single LFSR. Some modern stream ciphers use units larger 
than bits, but this discussion applies equally to such ciphers, so we will talk only in 
terms of bits. 
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While there are many approaches to the cryptanalysis of LFSR-based stream 
ciphers, this paper is concerned primarily with the recently proposed algebraic 
attacks [2,6] and fast algebraic attacks [1,5]. Such attacks have provided the 
best analyses against some theoretical and deployed ciphers. 

An algebraic attack consists of three steps. The first step is to find a system 
of algebraic equations that relate the bits of the initial state K and bits of the 
keystream Z = {zt}. Some methods [2,6] have been proposed for finding “lo- 
calized” equations (where the keystream bits are in a small range zt, ■ ■ ■ , Zt+e). 
This first step is a pre-computation: the attacker must compute these equations 
before attacking a key-stream. Furthermore, the computation need only be per- 
formed once, and the attacker can use the same equations for attacking multiple 
key-streams. The second and third steps are performed after the attacker has 
observed some keystream. In the second step, the observed keystream bits are 
substituted into the algebraic equations (from the first step) to obtain a system 
of algebraic equations in the bits of K. The third step is to solve these algebraic 
equations to determine K. This will be possible if the equations are of low degree 
in the bits of K, and a sufficient number of equations can be obtained from the 
observed keystream. 

The process complexity of the third step is exponential in the degree of the 
equations. Fast algebraic attacks were introduced by Courtois at Crypto 2003 [5] 
as a way of reducing run-time complexity by reducing the degree of the system 
of equations. This method requires an additional pre-computation step; this step 
determines a linear combination of equations in the initial system that cancels 
out terms of high degree (provided the algebraic equations are of a special form) . 
This yields a second system of equations relating K and the keystream Z that 
contains only terms of low degree. In the second step, the appropriate keystream 
values are now substituted into this second system to obtain a new system of 
algebraic equations in the bits of K. Solving the new system (in the third step) 
is easier than solving the old system because the new system contains only terms 
of low degree. 

Courtois [5] proposes using a method based on the Berlekamp-Massey algo- 
rithm [8] for determining the linear combination obtained in the additional pre- 
computation step. The normal Berlekamp-Massey algorithm has a complexity of 

, while an asymptotically- fast implementation has a complexity of C-D{\og D) 
for some large constant C. It is unclear which method would be best for the size 
of D considered in these attacks. Armknecht [1] provides a method for improving 
the complexity when the cipher consists of multiple LFSRs. 

Contributions of this paper. The first contribution is to note that previous 
reports on fast algebraic attacks (such as [1,5]) appear to have underestimated 
the complexity of substituting the keystream into the second system of equa- 
tions^. The complexity was originally underestimated as only 0{DE) [5], where 
D is the size of the linear combination and E is the size of the second system 

^ We are aware (via private communication) of other proposed algebraic attacks in 
which the substitution complexities were initially ignored. In one case, the complexity 
of simple substitution was almost the square of the complexity of solving the system. 
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of equations. Table 1 lists the values of 0{DE) for previously published attacks 
from [1,5]. However, simple substitution would require a complexity of DE“^ / 2 
(see Section 2.3), and no other method was suggested for reducing the complex- 
ity. It is true that E bitwise operations of the substitution can be performed 
in parallel, reducing the time complexity to DE“^ /2, but in cases where E is 
large, the process complexity should still be considered DE'^ / 2 in the absence of 
specialized hardware. In many cases DE"^ / 2 actually exceeds the complexity of 
solving the system of equations, as shown in Table 1^. The second contribution 
of this paper is to show how the Fast Fourier Transform (FFT) [4] can be applied 
to decrease the complexity of the substitution step to 2ED log 2 D. The resulting 
complexities of the FFT approach are also listed in Table 1. 

Table 1. Comparison of substitution complexities for published fast algebraic attacks. 
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218 
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The final contribution of this paper is to provide an efficient method for 
determining the linear combination obtained in the additional pre-computation 
step of the fast algebraic attack. First, we make the observation that all functions 
of degree d satisfy a common function-independent linear combination of length 
D = (d) defined exclusively by the LFSR. Then we provide a direct 

method for computing this linear combination (based on the work of Key [7]). 
This method requires c • ZI(n(logn)^ -I- (log 2 DY) operations for small constant 
c. This is a significant improvement on the complexities of previous methods. 

Table 2. The complexities of the pre-computation step for published attacks, where 
C represents a large constant and c represents a small constant. 



Gipher 
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Armknecht [1] 


Direction Computation 
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Parallel Method 


EO 
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C • 2®® 


242 
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235 


Toyocrypt 


218 


C • 2®® 
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This paper is organized as follows: Section 2 describes fast algebraic attacks. 
In Section 3 we discuss the complexity of substitution step for fast algebraic 
attacks. Section 4 reviews the Fast Fourier Transform and Section 5 describes 

® The attack on LILI-128 requires only every (2®® — l)-st bit from a keystream of 
length 2®®. The process complexity of selecting these bits is ignored in the literature, 
and could be an area for useful discussion. 
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how the FFT can speed up the substitution step. Section 6 contains some ob- 
servations on the pre-computation step. Section 7 concludes the paper. 



2 Fast Algebraic Attacks 

The length of the LFSR is n-bits; that is the internal state of the LFSR is 
K( G GF{2)^. A state K^+i is derived from the previous state Kj by applying 
an (invertible) linear mapping L : GF{2)^ GF{2)'^, with Kj+i = L(Kt). The 

function L can be represented by an n x n matrix over GF(2), which is called the 
state update matrix. Notice that we can write Kj = L*(K). Each keystream bit 
is generated by first updating the LFSR state (by applying L) and then applying 
a Boolean function to the bits of the LFSR state. For the purposes of this paper, 
everything about the cipher is presumed to be known to the attacker, except the 
initial state of the LFSR and any subsequent state derived from it. 

Linearization: Recall that the first two steps of the attack result in a system 
of nonlinear algebraic equations in a small number of unknown variables (these 
variables being the bits of the initial state). The most successful algebraic attacks 
(to date), have been based on linearization. The basis of this technique is to 
“linearize” a system of nonlinear algebraic equations by assigning a new unknown 
variable to each monomial term that appears in the system. The same monomial 
term appearing in distinct equations is assigned the same new unknown variable. 
The system of equations then changes from a system of non-linear equations 
(with few unknown variables) into a system of linear equations (with a large 
number of unknown variables). If the number of linear equations exceeds the 
number of new unknown variables, then an attacker can solve the system to 
obtain the new unknown variables of the linear system (which will in turn reveal 
the unknown variables of the non-linear system) . The advantage of linearization 
is that the attacker can use the large body of knowledge about the solution of 
linear systems. 



2.1 The Monomial State 

This section introduces some notation that is useful for describing linearization. 
For a given value of the state Kj and for a given degree d, we shall let Md(t) (the 
monomial state) denote the GF(2) column vector with each component being a 
corresponding monomial of degree d or less. The number of such monomials is 
D = ( 1 ) ~ (d)> Md(t) contains D components. The initial monomial 

state Md corresponds to the initial state K. 

Example 1. If n = 4 (that is, Kj = (fcs, /c 2 , A:i, fco)) and d = 2, then there are 
D = 11 monomials of degree 2: 

Md(t) = (mo, TOi, m2, TO3, m4, TOs, me, TO7, mg, TOg, mlO)^ 

= (1, ko, ki,k2,k3, koki, fcofcg, ^1^2, kiks, ^ 2 ^: 3 )^, 
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where “T” denotes the transpose of the matrix to make a column vector. For 
K( = (0, 1, 1, 1), the values of the monomial components of Md(f) are: 

Md(t) = (1, /co = 1, fci = 1, = 1, ■ • ■ , kik2 = 1, fcifcs = 0, ^2^3 = 0)^ 

= ( 1 , 1 , 1 , 1 , 0 , 1 , 1 , 0 , 1 , 0 , 0 )^. 

The ordering of the monomial components is arbitrary; for consistency we will 
enumerate using lower subscripts first, as shown. □ 

Expressing Functions of the LFSR State. We can express any Boolean 
function of the LFSR state as a product of the matrix Md(t) with a row vector. 

Example 2. Consider a Boolean function of the state /(Kj) = kiks (using 
the LFSR state from Example 1). This function can be expressed: 

f{Kt) = k2 + kiks 

= 0x1 + Oxfco + Oxfci + lx/c 2 + 0 X ks + Ox koki 
+ 0 X kok 2 + 0 X koks + 0 x k\k 2 + 1 x k\k^ + 0 x ^2^3 
= (0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0) • Md(t) = f • Md{t), (1) 

where the addition and multiplication operations are performed in GF(2). We 
have now expressed the Boolean function /(Kj) as the product of the matrix 
Mji(t) with a row vector 

f = (/o, . . . , fD-i) = (0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0) 

that selects the values of the specific monomials required to evaluate /(Kj). □ 

The row vector f depends only on the function /, and is independent of the 
LFSR feedback polynomial, the value of the initial state, and the index t. 

The Monomial State Rewriting Matrix. The mapping from one LFSR state 
to the next LFSR state can be expressed as a matrix product K^+i = L • Kj. It 
is also possible to determine the mapping from one monomial state to the next 
monomial state as a matrix product M<i(t + 1) = Rd • Md(t). 

Example 3. Consider a 4-bit LFSR as in Example 1 with monomial state 
Md(t) = (1, fco, ki, k 2 , ^3, koki, kok 2 , koks, kiks, ^2^)^- If the LFSR has is 
of the form st +4 = St+i -I- St, then the next state Kj+i has a corresponding next 
monomial state Md(t -I- 1) = (mg, m(, m^, Wg, m^, Wg, mg, ml., mg, Wg, m^o)^ 
which is related to the original monomial state as follows (only some relation- 
ships have been shown in order to save space): 

m'o =1 =1 =mo = (1,0, 0,0, 0,0, 0,0, 0,0,0) •Md(t), 

m'l = kg = k\ = m 2 = (0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0) • Md(t), 

m'^ =^3 =k[j + ki = mi -I- m 2 = (0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0) • Md(t), 

^10 = ^2^3 = ^3(^0 + ^1) = W7 + TTig = ( 0 , 0 , 0 , 0 , 0 , 0 , 0 , 1 , 0 , 1 , 0 ) • Md(t). 
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Each component of the next monomial state is a linear function of the original 
monomial state. These linear functions for TOq, . . . , can be combined into 

a matrix (the “rewriting matrix”) such that Md(t + 1) = • Md(t). 

■f 000000000 O' 

00100000000 
00010000000 
00001000000 
01100000000 
Rrf= 00000000100 
00000000010 
00100100000 
00000000001 
00000010100 
00000001010 

□ 

Notice that the matrix R^ depends only on the LFSR and the degree d. This 
example generalizes: for every LFSR and degree d there is a “monomial state 
rewriting matrix” Rd such that Md(t + 1) = Rd • Md(t). Moreover, for every 
t, the monomial state after t clocks of the LFSR can be expressed as a GF{2) 
matrix operation 

Md(t) = R^ • Md, (2) 

where Md is the initial monomial state. Combining equations (1) and (2), we 
get another expression for /(K^): 

f{Kt) = /(R^ • Md) = (f(t) • R^) • Md = f(t) • Md, (3) 

where the vector f(f) f • R^ depends solely on the function /, the monomial 
state update matrix Rd and the number of clocks t (all of which are known to 
the attacker). For example, the vectors f(t), t G {0, 1,2} corresponding to the 
function / in Example 2 are: 

f(0) = f • Rj) = f • I = (0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0), 

f(l) = f • R^ = f(0) • Rd = (0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0), 

f(2) = f • R^ = f(l) • Rd = (0, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1). 

2.2 Algebraic Attacks 

We always assume that the monomial state is unknown; it is the goal of algebraic 
attacks to determine the initial monomial state Md (and thereby determine the 
initial LFSR state). 

Step 1. The first step in an algebraic attack is to find a Boolean function h such 
that the equation 



h{Kt, zt, . ■ ■ , zt+e) = 0 , 



( 4 ) 
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is true for all clocks (or indices) t. The degree of h with respect to the bits 
of Kj we shall denote by d. Various methods have been proposed for finding 
such equations (see [2,6]). These equations typically have small values for 9. For 
simplicity we shall hereafter combine the keystream bit values zt, ■ ■ ■ , Zt+e into 
a keystream vector z* . 

For the linearization approach, it is convenient to obtain an expression for 
h(Kt, Zt) in terms of keystream bits and bits of the initial monomial state M^. 

1. Express h{Kt,zt) as the inner product of Md(t) and a keystream-dependent 
vector h(zi): 



h{Kt,zt)=h{zt)-Md{t). (5) 

2. Now, Equation (2) can be substituted into Equation (5); 

h{KuZt) = h{zt) ■ (R^ • Md) = (h(zt) • R^) • Md = h{t) ■ Md, 
where h(t) h(zt) • R^. 

3. Equation (4) is thereby transformed to the form: 



h(t) -Md = 0. (6) 

The components of h(t) = (ho{t), . . . , hD-i{t)) depend on: (a) the function h; 
(b) the monomial state rewriting matrix R^ associated with the monomials of 
degree of degree d or less; (c) the number of clocks t; and (d) the small keystream 
vector Zt- An attacker has access to all of this information, so the attacker is able 
to compute all of the components of h(t). This means that the only unknowns 
in Equation (6) are the components of the initial monomial state M^. 

Step 2. The second step of an algebraic attack consists of substituting the 
observed keystream vector Zt into the components of the vectors h(zj) and then 
computing the vector h(t) = h(zt) • R^. The vectors h(t) are evaluated for 
many indices t. Each of the evaluated vectors h(f) provides the attacker with 
a linear equation in the D unknown bits of the initial monomial state M^. 
Since there are D unknowns, around D linear equations will be required to 
obtain a solvable system. An initial choice of D equations may contain linearly 
dependent equations, so more than D equations may be required in order to get a 
completely solvable system. It is thought that not many more than D equations 
will be required in practice (see remark at the end of section 5.1 of [5]), so we 
will assume D equations are sufficient. 

Step 3. The third step recovers by solving the resulting system of linear 
equations. The system can be solved by Gaussian elimination or more efficient 
methods [13]. The complexity of solving such a system of equations is estimated 
to be 0(D“), where to (known as the Gaussian coefficient) is estimated to be 
w = 2.7. In general, D will be about (])) = 0{n‘^). 
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Complexities. The complexities of an algebraic attack are as follows: 

— The complexity of finding the equation /i(Kt,Z() depends on many factors 
and is beyond the scope of this paper. 

— The amount of keystream required for the second step (the data complexity) 
is D = 0(n'^). 

— The complexity of the second step (substituting the keystream into the equa- 
tions) is 0 {D^) = 0(n^‘^), assuming that the functions h{Kt,zt) are rela- 
tively simple functions of the keystream; and 

— the complexity of solving the system in the third step is O(n^'^d). 

Note 1. The complexity is exponential in the degree d. Hence, a low degree d is 
required for an efficient attack. Therefore, an attacker using an algebraic attack 
will always try to find a system of low degree equations. 

2.3 Fast Algebraic Attacks 

Courtois [5] proposed “fast algebraic attacks”, as a method for decreasing the 
degree of a given system of equations. For fast algebraic attacks, we presume 
that the function h can be written in the form 

h{Kt,Zt,...,Zt+ 0 ) =u{Kt) + v{Kt,zt) = 0, (7) 

where u is of degree d in the bits of Kj, v is of degree e < d in the bits of Kt 
and only v depends on the keystream. Since the functions u and v are of two 
distinct degrees (in the bits of Kj), it is simplest to consider them as depending 
on distinct monomial states and Mg, with corresponding monomial state 
rewriting matrices and Rg. There are D = J2i=o il) ~ (d) monomials of 
degree d or less, and E = ~ (") monomials of degree e or less. 

A fast algebraic attack gains an advantage over the normal algebraic attacks 
by including an additional pre-computation step in which the attacker deter- 
mines linear combinations of equation (7) that will cancel out the high-degree 
monomials of degree e -I- 1, e -I- 2, . . . , d that occur in w(Ki), but not in u(Kt, zt). 
As in equation (3), u(Kj) and u(Kt, z*) are written as vector inner-products: 

— u{Kt) = u • Md(t) = u(t) • Md, where u(t) = {u ■ R(j) is a vector with D 
components (all of which are independent of the keystream); and 

— v{Kt,zt) = v(zt) • Md(t) = v(t) • Mg, where v(t) = v(zt) • R*)) is a vector 
with E components (some of which are dependent on the keystream) . 

Equation (7) is then transformed to: 

u(t) • Md -b v(t) • Mg = 0. (8) 

In the fast algebraic attack pre-computation step, the attacker finds {D + 1) 
coefficients bo,. . . ,bo G {0, 1}, such that 

J2fLo + *) = 0, Vt. 



(9) 




398 Philip Hawkes and Gregory G. Rose 



Equations (8) and (9) can be combined: 

J2f=o + t) • Md + v(t + i) ■ Me) = (j2f=o + *)) ■ ■ 

Thus, we obtain a linear expression in Mg: 

v'(t) • Me = 0, where (10) 

^'{t) = EZob^■^{t + ^)■ (11) 

The second step of a fast algebraic attack is to evaluate many vectors v'(t + i), 
by substituting observed keystream vectors zt+i into the vectors v{t + i) in equa- 
tion (11). Each of the evaluated vectors v'(t) provides the attacker with a linear 
equation in the E unknown bits of the initial monomial state Mg. Equation (10) 
involves fewer unknowns than the initial equation (7); this means that the fast 
algebraic attack requires fewer equations in order to solve for the unknowns. 
Reducing the number of unknowns and equations significantly improves the third 
step of the attack as solving the system of E equations (10) takes significantly 
less time than solving the system of D equations of (6). The complexity of the 
third step is now 0{E‘^). 

Courtois [5] and Armknecht [1] have proposed efficient methods for finding 
the coefficients of equation (9). The details are not relevant to this paper, but 
the complexities are provided in Table 2 for the purposes of comparison with 
the method proposed in Section 6 of this paper. 

Data Complexity. Evaluating the vector v'(t) (for each equation (10)) requires 
substituting the bits from the D keystream vectors zt+i, 0 < i < D. Obtaining 
E equations (10) can be achieved using the set of keystream vectors {z(+i,0 < 
* < D, 1 < t < E} = {zt, 1 < t < D + E}. These keystream vectors can be 
obtained from the keystream bits Zt+i, l<t<D + E + 0. Hence, the attack can 
be performed using as few as {D + E + 9) = 0{D) keystream bits. 

3 Substitution Complexity of Fast Algebraic attacks 

Normal algebraic attacks and fast algebraic attacks differ in the complexity of 
substituting the keystream into the equations in Step 2. The vector h(t) is a 
function of a small number of keystream bits Zt+i, 0 < z < 0, but the vector 
v'(t) is a function of a large number of keystream bits Zt+i, 0 < i < D + 9. 
As discussed in the introduction, a misunderstanding resulted the attacks [1,5] 
failing to account for this difference. 

The naive approach to substituting the keystream is to compute the vectors 
v(t) first and then substitute these vectors into the equations (11) individually^. 
Computing a single component of the vector v'(t) = + *) ^ single 

value of t will require complexity D/2, since (on average) half of the coefficients 

^ We ignore the cost of computing v(t) as this cost is independent of the cost of 
determining v'(t) from the values of v(t). 
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bi are expected to be zero. There are E components in each vector 'v' (t), so the 
complexity of substituting the keystream to obtain a single vector v'(t) using 
equation (11) is E x {D/2) = ED/2. That is, obtaining a single equation (11) 
has complexity is ED/2. Since E equations are required in order to solve the 
system, the total cost of simple substitution will be if x {ED/2) = E'^D/2. 
Table 3 lists the complexity of simple substitution for the fast algebraic attacks 
in the literature. Note that simple substitution is significantly more complex than 
solving the linear system of equations in these cases. 

Table 3. Comparing the claimed complexities of substitution, the complexities of 
simple substitution and the complexity of solving the linear system. 



Cipher 


n 


d, e 


D 


E 


Claimed Subs 
0{ED) 


Simple Subs 
E^D/2 


Solving Linear- 
System (P“) 
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EO 


F 
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259 


LILI-128 
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4 The Discrete Fourier Transform 

Real Spectral Analysis: First, we’ll consider a quick tangential topic. A com- 
mon tool in analyzing a real-valued function a{x) (such as a sound wave) eval- 
uated on a real domain x € [0, P] is to represents the function a{x) as a sum 
of simple periodic functions (cosine and sine curves) where the function a{x) is 
specified by the amplitudes of these periodic functions: 

a(a:) = Aq + A^ ■ cos -b E“=i ^* 4 > ’ sin • 

with amplitudes A^ and AJ assigned for each frequency fi. The sequences {A^} 
and {AJ} are the Fourier series for a{x), and evaluating the amplitudes is called 
a spectral analysis. 

Discrete Spectral Analysis: Suppose a{t) is a function defined at discrete 
values t = {1, 2, 3, ... , P}, and the values of a{t) lie in a field F . Such discrete 
functions are equivalent to sequences written a = {a(t)}. Discrete spectral anal- 
ysis of a, like real spectral analysis, represents a using simple periodic sequences 
with period P. These periodic sequences are of the form A^ = {A^{t) = 
where 0 < 4> < {P — 1), and A is an element of multiplicative order P in some 
field Q; these functions are analogous to the sine and cosine curves. 

In some cases, F has elements of multiplicative order P, and A can be an 
element of F\ that is, Q = F. In other cases, A must be chosen in an a larger 
field Q that is an extension field of F . In either case, the field ^ is a vector space 
over F\ that is, elements of Q are of the form x = some basis 

{vi,--- , t'p}, p > 1. Elements x & F are mapped to elements x = xl G G where 
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I is the identity element of Q. Thus, the sequence a of elements of T is mapped 
to the sequence a with elements of A discrete spectral analysis determines 
a sequence of P “amplitudes” A = {A^ & G,0 < (/> < {P — 1)}, such that the 
sequence a, can be expressed as: 

m = E0=o • M*)- (12) 

In this way, each sequence value a{t) is represented as a linear combination of 
sum of P periodic sequences 0 < (j) < (P —1). It is well known that the 
sequence of amplitudes A can be computed directly from the sequence a as: 

• Efci a(^) • ^^(-^)- (13) 

The calculation of A from a as in (13) is called the Discrete Fourier Transform 
(DFT), while the calculation of a from A is the Inverse DFT. The most efficient 
method for performing the DFT, known as the Fast Fourier Transform (FFT) [4], 
requires a total of Plog 2 P operations in the field Q. There is also an Inverse 
FFT that uses the same amount of computation to invert the DFT. 

Convolutions and the DFT. The convolution of two discrete sequences a and 
b of period P is another sequences y of period P with y{t) = Eili ®(1) ' ~ 

t(mod P)), Vt. These are sequences of elements from the field P. It is common 
to write y{t) = {a*b)(f). Computing the convolution according to first principles 
would take P^ multiplication and addition operations in the field T . However, 
the Convolution Property provides us with an alternative method. 

Convolution Property y{t) = (a * b){t), Vt if and only if = A^ ■ B^, \/(j>. 

The convolution can be computed by applying the FFT to a and b to form A 
and B, forming {Y^ = A^ ■ B^}; and finally applying the inverse FFT to Y 
in order to form y. The total complexity is 3(Plog2 P) + P = P(31og2 P + 1) 
operations in the field Q. In the cases where Q = T , the FFT method is faster 
by a factor of P/ (3 log 2 P+ 1). In other cases, computations in Q cost more than 
computations in T and the advantage is less. This “trick” has been applied in 
many areas such as the fast multiplication of larger numbers and polynomials 
(the product of two polynomials is the convolution of the two corresponding 
sequences of coefficients). We shall use this trick in the next two sections. 

5 Applying the FFT to the Substitution Step 

The calculation in equation (11) is performed component- wise, so we will begin 
by focussing on the sequence of values for only one of the monomial components 
Up(t) of the vectors v(t) = {vo{t), . . . ,VE-i{t)), 0 < y < {E — 1), and the 
corresponding components v'^{t) of the vectors v'(t). Assume that the attacker 
has observed a sufficient amount of keystream, evaluated the values of Up(t) in 
equation (8) for 1 < t < (P -|- E), and determined the values bo,bi, . . . ,bo- The 
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attacker now needs fast way to determine the values v'^{t) = + t), 

1 < t < if, (see equation (11)) from the values u^(t). 

The inefficiency of using simple substitution is indicated by two things: 

— Equations (11) often re-use the same values of when computing 
I <t<E. 

— Equations (11) all use the same linear combination; 

This problem appears similar to computing = v'^{t) for an appropriate 

sequence j3. Indeed, if j3 is defined as (}{t) = 0, 1 < t < P—D—1, and (}{t) = bp-t, 
P — D < t < P, then (/? * fp)(t) = w(^(t) for 1 < t < P — D, Thus, the EFT may 
be combined with the Convolution Property for computing v'^ (t) . The sequences 
Vfj, and P are defined on the field T = GF{2), so Q will be a field of the form 
GF{2P). We choose p to be the smallest value such that 2^ > (D + F), and define 
P = 2P — 1. This choice seems best because it uses the smallest number of bits 
to represent elements of Q. 

Basic DFT-Based Substitution Algorithm 

1. Map the sequences P and in T to sequences P and in 

2. Apply the DFT to obtain the sequence of amplitudes B from p. 

3. Apply the DFT to obtain the sequence of amplitudes V from zJ^. 

4. Compute Q(j) = B^- V^, 0 < p < {P — 1). 

5. Apply the inverse DFT to obtain q from Q. Note q{t) = {P * Vfi){t). 

6. Extract from q{t), I < t < F; v'^{t) = 1 iiq{t) = I, else v'^(t) = 0. 

Complexity. This may seem like a strange way to compute but the 

algorithm is very efficient when the FFT is used to compute the DFTs: 

— The values B^ are computed via the FFT using P(log 2 P) field operations 
(operations in the field Q). For given values bo,bi, . . . jbp, the same sequence 
P is used for each monomial component and for each attacked keystream. 
The attacker should pre-compute and store B to save time. 

— The values are computed via the FFT using P(log 2 P) field operations. 

— The values Q^f, = • B^ are computing using {D + F) field multiplications. 

— The sequence q can be obtained from {Q^} by applying the standard Inverse 
FFT; this requires in time P(log 2 P) field operations. 

The pre-computation of B requires P(log 2 P) field operations. The run-time 
total complexity for computing the value of v'^(t) from the values v^{t) is ap- 
proximately 2P log 2 P field operations. These field operations are more complex 
than GF{2) (logical) operations. To a good approximation, each field opera- 
tion is equal in complexity to log 2 P logical operations (much of this can be 
parallelized). Thus, for our calculations, the run-time complexity of the above 
algorithm is equivalent to around 2 P(log 2 P)^ logical operations. 

Improvement 1. The above algorithm computes all {D + F) values of q, but 
only F of these values are ever used. An efficient alternative is to divide the 
linear combination into 6 segments of length D' = D/6 and perform the FFTs 
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on these segments using a smaller field GF(2^ ) where 2^ — \ = P' > E + D' . 
If we define appropriate sequences (3[j], 1 < j < i5, then we may write: 

5-1 D' 5-1 

D'j + z) — 

j—0 i—0 j—O 

with sub-sequences {u^[j](t) = Vf,{t + D'j)}. Now, q{t) = Ej=o(/^[j] if 

and only if ^b1<^ ' Thus, computing q{t) = v'^{t) requires: pre- 

computing the FFTs of [3[j] computing the FFTS of u^b]; computing and 
applying the inverse FFT to Q to obtain q and thus The FFTs and Inverse 
FFT dominate the complexity, requiring (i5 -I- l)P'(logP')^ logical operations at 
run-time, where P' « -j-l-if. The basic algorithm above uses <5=1. The optimal 
choice for S (providing the lowest complexity) depends on D and E. 

Improvement 2. The DFT-based substitution algorithm computes the values 
of v' 1 < t < E, for only one component of the vectors v'(t), 1 < t < P. 
There are a total of E monomial components 0 < /x < if for each 

such vector; thus if each component is computed separately, then the total 
complexity of computing all components of every vector v'(t) would be ap- 
proximately E{S + l)P'(logP') field operations, or E{6 + 1)P' {logP'Y logical 
operations. Fortunately, p' monomial components can be packed into each com- 
putation. For a set {pi , . . . , /Xp} of monomial indices we define a sequence v G Q: 
v{t) = Then 

v'{t) = (P*v){t) = 

provides p' values v'^. (t) for the price of one, dividing the total complexity by p' . 

Improved DFT-Based Substitution Algorithm 
Inputs: Wpi(t), 1 < t < (P -I- E), I < i <p'; B[j], 0 < j < S. 

Outputs: 1 <t < E, 1 <i <p'. 

1. Form v{t) = 1 <t < {D + E). 

2. Form sub-sequences v[j] = {v{D' j -|- 1), . . . ,v{D'j + P')}, 0 < j < 6. 

3. Apply DFT to obtain V[j] from zJ[j], 0 < j < <5. 

4. Compute 0 < (() < (P - 1). 

5. Apply inverse DFT to obtain q from Q . 

6. Set v'{t) = q{t), 1 < t < E. 

7. Output v'{t) = l<t<E. 

The run-time complexity, after applying these two improvements, is 

{5+l)EP'{logP'f Xj^ = {S + l)PP'(logP'). 

Table 4 shows the complexities of the FFT method for substitution for the 
current fast algebraic attacks in literature. In the case of EO, the improvement 
has been significant, and the substitution step no- longer dominates the run-time 
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complexity. The improvement in the substitution complexity is less noticeable 
required for LILI-128, and insignificant for Toyocrypt. The substitution step still 
comprises a significant portion of the complexity for these attacks. 

In all cases, the first improvement did not affect the complexity significantly; 
the largest improvement was by a factor of 4. Interestingly, the optimal value of 
S was 6 « D/E, for which D' = E and P' « 2E. The corresponding complexity 
is around D/E ■ E ■ 2E ■ (log 2 E + 1) « 2DE{log2 E) 

Table 4. Comparing the complexities of substitution using the FFT method against 
the complexities of simple substitution. 



Cipher 


D 


E 


Substitution 


Solving 

System 


Total 


Simple 

E'^D/2 


FFT {5 + 1) EP' {log P') 


Basic {S = 1) 


Optimal Choice 


EO 


223 


218 


259.2 


248 


246.8 ^ 2-*) 


249 


249 


LILI-128 


221 


212 


244.2 


239.4 


237.8 ^ 2®) 


239 


240 


Toyocrypt 


218 


2" 


231.4 


231.2 


229.2 (-j ^ 2l0) 


220 


229 



6 Improving the Pre-computation Step 

A square matrix satisfies its characteristic polynomial. That is, if = 

i® the characteristic polynomial of R^, then 

D 

pW(Rd) = ^p,-R^ = 0, (14) 

i=0 

where 0 represents the all-zero matrix. Suppose the coefficients bo,..., bo of 
Equation (9) are assigned the values of the coefficients po, - ■ ■ ,Pd of the charac- 
teristic polynomial of R^. Then, for any function rt(Ki) of degree d, 

D D / ^ \ 

^ 6* • u(t -h f) = • (u • R^+*) = u • R(; • ( • R)( j = u • R^ • 0 = 0. 

i— 0 i—0 \z— 0 / 

The characteristic polynomial of R^ depends on the LFSR and the degree d, and 
is otherwise independent of the function u(K(). Thus, the coefficients po, . . . ,pd 
(of the characteristic polynomial of R^) can be substituted for the coefficients 
bo,. . . ,bo in equations (9) and (11) for all functions u(Kt) of degree d. 

Most functions u of degree d have a minimal polynomial of degree D = 
(d) P’ Fact 6.55]); the minimal polynomial for these functions will 
be p^'^^{x). However, there are functions the minimal polynomial is a smaller 
factor of p'^'^\x). For example, in the attack on EO [1], p^'^\x) has length D = 
11,017,633; while the minimal polynomial of the Boolean function used in the 
attack is of slightly smaller length D' = 8, 822, 188. Using p^‘^l{x) in the attack 
on EO (instead of using the minimal polynomial) would increase the complexity 
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by a small amount. An advantage of the methods proposed in [1, 5] is that those 
method will find the minimal polynomial for a specified Boolean function, even 
if the minimal polynomial is smaller than (x) . 

It is not difficult to show that the polynomial divides p^‘^\x) This 

suggests that the linear combination 'Yhf=oPi ' 0 be zero, thus 

resulting in a trivial equation 0 • Mg = 0 that provides no information about the 
initial monomial state. The probability of this cancellation occurring is small; 
the vectors v(t+i) = ■v{zt+i)-'R*^\ in the sum depend 

on the keystream. Nonetheless, this suggests that a better approach would be 
to cancel only those components corresponding to monomials of degree greater 
than e using the polynomial 

p(^){x)M^Hx) = 

The linear combination p' ■ u(t + i) cancels components corresponding 

to monomials of degree in the range [e + 1, d]. but will not cancel components 
corresponding to monomials of degree e or less. Hence, u'(t) = ^ 'u(t + z) 

can be considered as an A-dimensional vector u'(t) = u' • R‘ for some vector u'. 
Equation 10 would then become 

(u'(t) + v'(f)) • Re = 0. (15) 

The probability that u'(t) = v'(t) will depend on the probability that u' = v(z) 
for a random z. Unless v(z) is constant, this probability u' + v(z) = 0 will 
be less than 1/2. After substitution of many such vectors, the probability that 
u'(t) + v'(t)=0 will be very small and Equation (15) is highly unlikely to be 
trivial. 



6.1 Direct Computation of the Linear Combination 

Suppose an LFSR state of length n is updated according to state update 
matrix L, and the characteristic polynomial of L is primitive®. The following 
theorem, while not explicitly stated by Key [7], is a fairly obvious consequence 
of Key’s ideas, so no proof is given. This result provides a direct method for 
computing p^'^\x). 

Theorem 1. (Largely due to Key [7]) If 7 G GF(2") is a root of the char- 
acteristic polynomial of the LFSR state update matrix, then the characteristic 
polynomial of Rd isp^‘^)(a;) = Y\ip-.w{%i>)<d ~ where ip G GE(2”) and w{tp) 

denotes the Hamming weight of ip (that is, the number of I’s in the radix-2 rep- 
resentation of the integer ip). □ 

Factoring into GF{2) polynomials yg,{x). Computing the entire 

product riv>'u)(v>)<<i ~ while in GF(2”) would be costly. Fortunately, the 

® This approach can be extended to cases where the characteristic polynomial is not 
primitive; for example, when the keystream is a function of more than one LFSR. 
See Key [7] for more details. 
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factors in GF(2”) can be easily grouped into GF{2) polynomials of degree n 
or less. We define an equivalence relation “=” where xp' = ip if and only if 
Ip' = 2'^'0(mod 2” — 1), for some value j. Since the set {ip' = ip{ is closed under 
multiplication by 2, the polynomial y,p{x) = ), has coefficients 

that are either 0 or the identity element I. That is, the product y^pix) can be 
represented as a GF{2) polynomial. Thus, can compute in two phases: 

1. Compute the GF{2) polynomials y,p{x) for all ip of weight d or less. 

2. Multiply the GF{2) polynomials y^{x) to form p^‘^\x). 

Computing y^{x). The FFT over GF(2") may be used to compute the poly- 
nomials yjp{x). First, apply the FFT to the sequences corresponding to (a; — ) 
for Ip' = Ip to obtain sequences \ ip' = ip. Second, form sequence 17 with 
^<f> — Finally, apply the inverse FFT to 17 to obtain y^{x). The 

first step is the most costly; it requires n(log n)^ logical operations for each factor. 
There are D factors, so the total combined cost is Z?n(logn)^ logical operations. 

Multiplying y.^{x) to form The second phase has polynomials with 

coefficients in GF{2) and uses FFT’s in extension fields of GF{2). Multiplying 
two GF{2) polynomials in to get a product of degree less than J = 2^ can be 
performed (via the FFT) using J(1 + 31og2 J) = 2^(1 + 3j) operations in the 
extension field GF{2^); this is equal to 2^(1 + 3j)j logical operations®. Use the 
FFT to first multiply pairs of polynomials of degree n to get polynomials of 
degree 2n. Then multiply pairs of polynomials of degree 2n to get polynomials 
of degree 4n and so forth until p^‘^'>{x) is formed. The total complexity is 

log2 D log2 D 

£ _.2^(l + 3j)j = i7 £ {3f+j)^D{log,D)\ 

j=log 2 n i=log 2 " 

The combined complexity for the two phases is Z?[n(logn)^ -I- (log 2 F))^]. In Ta- 
ble 2, the complexity of this method is compared against the previous methods. 

7 Conclusion 

We have shown that some published “fast algebraic attacks” on stream ciphers 
underestimate the process complexity of one of the steps, and we provide correct 
complexity estimates for these cases. We then show an improved method, us- 
ing Fast Fourier Transforms, for substituting keystream bits into the system of 
equations needing to be solved. We also made some observations about the linear 
combination used in the pre-computation step of the fast algebraic attack. In par- 
ticular, we found the fastest known method for performing the pre-computation. 
The fast algebraic attack remains an extremely powerful technique for analyzing 
LFSR-based stream ciphers. 

® The attacker can “pack” multiple GF{2) polynomials into a single GF{2^) sequence 
and thereby compute the convolution of multiple pairs GF{2) polynomials using the 
same amount of computation. This reduces complexity by a relatively small factor. 
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Abstract. We study both distinguishing and key-recovery attacks 
against EO, the keystream generator used in Bluetooth by means of cor- 
relation. First, a powerful computation method of correlations is formu- 
lated by a recursive expression, which makes it easier to calculate corre- 
lations of the finite state machine output sequences up to 26 bits for EO 
and allows us to verify the two known correlations to be the largest for 
the first time. Second, we apply the concept of convolution to the analy- 
sis of the distinguisher based on all correlations, and propose an efficient 
distinguisher due to the linear dependency of the largest correlations. 
Last, we propose a novel maximum likelihood decoding algorithm based 
on fast Walsh transform to recover the closest codeword for any linear 
code of dimension L and length n. It requires time 0(n + L ■ 2^) and 
memory min(n, 2^). This can speed up many attacks such as fast corre- 
lation attacks. We apply it to EO, and our best key-recovery attack works 
in 2^® time given 2^® consecutive bits after 0(2®^) precomputation. This 
is the best known attack against EO so far. 



1 Background 

Correlation properties play an important role in the security of nonlinear LFSR- 
based combination generators in stream ciphers. As name implies, the word 
correlation in stream ciphers is frequently referred to as the intrinsic relation 
between the keystream and a subset of the LFSR subsequences. The earliest 
studies dated back to [21,25,27] in the 80’s and the concept of correlation im- 
munity was proposed as a security criterion. In the 90’s Meier-Staffelbach [22] 
analyzed correlation properties of combiners with one memory bit, followed by 
Colic [12] focusing on correlation properties of a general combiner with m-bit 
memory. Recently, a series of fast correlation attacks sprang up, to name but a 
few [5-7, 16, 24]. Thereupon we dedicate this paper to the generalized correlation 
attacks against EO, a combiner with 4-bit memory used in the short-range wire- 
less technology Bluetooth. Prior to our work, existed various attacks [1, 8, 10, 11, 
13-15, 17,26] against EO. The best key-recovery attacks are algebraic attacks [1, 

* Supported in part by the National Competence Center in Research on Mobile Infor- 
mation and Communication Systems (NCCR-MICS), a center of the Swiss National 
Science Foundation under the grant number 5005-67322. 
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8] , whose basic approach is to use the polynomial canceling all memory bits and 
involving only key bits, instead of considering the multiple polynomial to cancel 
the key bits in the distinguishing attack; besides, [9, 13, 14] discussed correlations 
of EO. In [14], Hermelin-Nyberg for the first time presented a rough computation 
method to compute the correlation (called bias for our purpose), but neither did 
they formalize the computation systematically, nor did they attempt to find a 
larger correlation. In [9, 13], two larger correlations for a short sequence of up to 
6 bits were exposed. However, due to the limit of the computation method, no 
one was certain about the existence of a larger correlation for a longer sequence, 
which is critical to the security of EO. 

Our first contribution in the paper is that based on Hermelin-Nyberg [14] we 
formulate a powerful computation method of correlations by a recursive expres- 
sion, which makes it easier to calculate correlations of the Finite State Machine 
(FSM) output sequences up to 26 bits for EO (and allows us to prove the two 
known correlations to be the only largest for the first time). Second, we apply 
the concept of convolution to the analysis of the distinguisher based on all cor- 
relations, which allows us to build an efficient distinguisher that halves the data 
complexity of the basic uni-bias-based distinguisher due to the linear depen- 
dency of the two largest biases. Our best distinguishing attack takes 2^^ time 
given 2^^-bit keystream with 0(2^^) precomputation^. Finally, by means of Fast 
Walsh Transform (FWT), we propose a novel Maximum Likelihood Decoding 
(MLD) algorithm to recover the closest codeword for any linear code. Our pro- 
posed algorithm can be easily applied to speed up a class of fast correlation 
attacks. Furthermore the algorithm is optimal when the length n of the code 
and the dimension L satisfy the relation n > 2^, which is the case when we ap- 
ply it to recover i?i for EO. Our best key-recovery attack works in 2^® time given 
2^® consecutive bits after 0(2^^) precomputation. Compared with the minimum 
time complexity 0(2^^) in algebraic attacks [1,8], this is the best known attack 
against EO. 

This paper is structured as follows: in Section 2, a description of EO is given. 
In Section 3, we analyze the bias inside EO systematically. Then based on one 
largest bias, we build a primary distinguisher for EO in Section 4; an efficient 
way is shown in Section 5 that makes full use of all the largest biases to advance 
the distinguisher. In Section 6 we investigate the MLD algorithm for a linear 
code; the result is then applied to a key-recovery attack against EO in Section 7. 
Finally we conclude in Section 8. 

2 Description of the Bluetooth Keystream Generator EO 

As specified in [3], the keystream generator EO used in Bluetooth belongs to a 
combination generator with four memory bits^, denoted by at = (ct_i,ct) at 
time t, where Ct = (cj,Cj). The whole system (Fig.l) uses four Linear Feedback 

^ Throughout this paper, O(-) is used to provide a rough estimate on complexities, eg. 

0(2^®) here means c • 2^® operations, where c is a small constant. 

^ The description of EO (sometimes called one-level EO) here only involves the 
keystream generation after the initialization. 
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Fig. 1. Outline of EO 



Shift Registers (LFSRs) denoted by i?i, . . . , i ?4 with lengths L\ = 25, L 2 = 31, 
L 3 = 33, L 4 = 39 and primitive feedback polynomials 

Pi{x) = + a;® + 1, 

P2{x) = + x'^^ + + x^"^ + 1 , 

P3(a;) = a;®® + a;^® + + a;"^ + 1, 

P4(a;) = a;®® + a;®® + a;^® + a;"^ + 1, 

respectively. At clock cycle t, the four LFSRs’ output bits x\, i = 1, . . . , 4, will be 
added as integers. The sum yt € {0, ... ,4} is represented in the binary system. 
Let y\ denote its z-th least significant bit (z = 1,2,3). A 16-state machine (the 
dashed box in Fig.l) emits one bit out of its state at = (ct_i, Ct) and takes the 
input yt to update at by at+i. Finally, the keystream Zt is obtained by xoring 
yl with C( . That is, 

x\ © a;j 0 a;® 0 a;j 0 c° = Zt- ( 1 ) 

The detailed mechanism of the FSM is beyond the scope of the paper except 
the fact that the embedded delay cell (the box labeled Z~^ in Fig.l) makes 
c° depend only on the initial state ao of the FSM as well as the past vectors 
yt-i,yt- 2 , ■ ■ ■ , J/o- For completeness, we briefly outline it: given yt together with 
the state at, the FSM moves into the state at+i- Table 1 shows the state transi- 
tion of the FSM, where the four-bit state is represented in the quaternary system 
(e.g. the FSM changes from at = 13 into at+i = 32 by the input yt = 2). 

More formally, by introducing two temporary bits St+i = (s®_|_]^, s®_|_]^) each 
clock, the following indirect iterative expressions between S(_|_i and Ct+i suffice 
to update cp 



St-l-l — 



yt 



^t+i — s 



t+i 



4-1) 



(2) 

(3) 
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Table 1. State transition of crt+i given yt and at 
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C(_|_i — © Cj 0 ® c^_i- (4) 

One can check Table 1 by those equations. We denote At hereafter the content 
of LFSRs at time t. Then the state of EO at time t is fully represented by the 
pair (At,(Tf). 



3 Biases Inside EO 



Property 1. Assuming yt = 2 holds for t = to,to + 1, . . . ,to + 3, then 



'-to 



Oo+l 



4 o +2 



4 o +3 ' 



-to+i 



= 1 . 



Proof. It’s easy to verify that the state transition given yt = 2 (the third bottom 
row in Table 1) is indeed a linear transformation over GF(2)^, that actually 
satisfies the recurrence relation: at+i = A x ct © 01, where states at+i are 
represented by column vectors of (c^ , c° , and A is the following 4x4 

square matrix over GF{2): 



A = 



/O 0 1 0\ 
0 0 0 1 
0 10 0 
Viiiiy 



Note that -\- x ~\~ 1 is the minimal polynomial of A, from which we 

deduce at„ © ©o+i ® © 0+2 ® ©o+3 ® ©o+4 = 33. □ 



Remark 2. Since Pr(?/t = 2) = ^, this seemingly suggests that 



Pr(cJ 



Y+l 



-t+2 



-t+3 



Y+4 



= 1 ) 



1 , 6 ^ _ 1 81 
2 ^16^ ~ 2^ 4096' 



As mentioned in [9,13] (without relating to the above special case), this bit 
exhibits a much higher bias as shown later in Corollary 7. We will now introduce 
essential material in order to find a systematic algorithm to compute biases. 



Proposition 3. //(Ao,cto) is random and uniformly distributed, then for any t 

— {\t,(Jt) is random and uniformly distributed, 

— (ct, Ct_i, . . . , Ct_24) is independent of yt- 
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Proof (sketch). The former half of the theorem is justified by the fact that (AtjCrt) 
is a permutation of (Ao,cro) for any t. About the latter half of theorem, first, 
we know that {Xt-24,o't-24) is random and uniformly distributed by previous 
conclusion. Thus, yt- 2 ii ■ ■ ■ ,yt-i are i.i.d. random variables all independent of 
both (Tt _24 and yt- By Eq. (2,3,4), we complete the proof. □ 

Interestingly, we deduce that if (Aq, crp) is uniformly distributed, then any se- 
quence of 39-bit consecutive EO keystream is uniformly distributed; in particular, 
no better key-recovery attack against EO exists other than tradeoffs given a se- 
quence of 39-bit consecutive keystream. 

The following definition is derived from normalized correlation [22, p.71]. 

Definition 4. The bias of a random Boolean variable X is defined as 

A{X) = Pr(A = 0) - Pr(X = 1) = E[{-1)^]. 

The normalized correlation between two random Boolean variables X and Y 
is just the bias of A 0 E. Assuming that yt is the sum of four balanced inde- 
pendent random bits and that Ct is uniformly distributed, then we know that 
Z\(o • St+i 0 u> • Ct) is a constant for any a,w & GE(2)^, denoted by f2{a,w). 
Table 2 shows f2{a,w) computed by Eq.(2), where dashed entries are zeros. The 
following important lemma (see Appendix A for proof) inspired by [14], gives an 
easy way of computing the bias for iterative structures. 

Table 2. Bias of all linear combination of st+i and Ct~. n{a,w) 
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Lemma 5. Given f : £ x GF{2f GF{2) and g : GF{2)'^ GF{2f, let 
X and Y be two independent random variables in £ and GE(2)™ respectively. 
Assuming that g{Y) is uniformly distributed in GF{2)^, for any v G GE(2)'", 
we have 

A(/(A,g(E))0c-E)= ^ AifiX,g{Y))(BwgiY))-Aiwg{Y)(Bv-Y). 

wGGF(2Y 

Corollary 6. We set h : (a;^,a;°) (x^,x^ 0 a;°) to be a permutation defined 

over GE(2)^, and i5(ai, . . . , ad) = A{a\ • ci 0 • • • 0 Od • Cd), where oi, . . . , Od G 
GF(2)'^. Assuming (Ao,<to) is uniformly distributed, for any d < 26, we have 

5{ai,...,ad)= ^ G(ad, w) • 5(ai, . . . ,Od-3,ad-2 © /i(od),ad-i 0 Od 0 w). 

u;GGF(2)2 
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Proof. By Eq. (2,3,4) we have 

(5(oi , . . . , Od) = ^(od • Sd © ai • Cl © • • • 0 (ad-2 © ^(a<i)) • Cd-2 © (ad-i © Od) • Cd_i). 

Then we apply Lemma 5 with X = j/d-i, Y = (ci, . . . , Cd-i), g{Y) = Cd-i, 
fiX,g(Y)) = ad - Sd and v = (ai, . . . , Od-3, ad -2 © /i(od),ad-i © Od), and we 
obtain 

i5(ai, . . . , Od) = ^ l^(od, w)i5(ai, . . . , Od-3, «d-2 © /i(ad), Od-i © Od © w). 

Note that the assumption of Lemma 5 holds by Proposition 3. □ 

Now we use Corollary 6 iteratively to deduce some important biases of {cj } with 
Table 2 and the initial values <5(0,0) = 1, and 5{a,b) = 0 for (a, 6) yf (0,0). A 
full list of nonzero triplets is given below for illustration: 



<5(0,0,0) = 1, 
<5(1,0,2) = |, 



<5(1,3,2) = i, 
<5(2,0,3) = |, 



<5(2,3,3) = -f, 
(5(3,3,!) = 



Corollary 7. Assuming (Ao,<to) random and uniformly distributed, we have 

Pr(c° © C °+1 © C ?+2 © C?+3 © c?+4 = 1) = ^ + H’ 

. n n X 1 25 

Pr(ci=c,+5)=2 + ^- 

Note that both biases were mentioned in [9, 13] (without formal proof). Now by 
Corollary 6, we can easily prove it as shown next. 

Proof We show the equivalent <5(1,1,1,1,1) = — ^ of the first bias as follows: 



<5(1, 1,1, 1,1) = ^C(l,w) • <5(1,1, 2, w) 

W 

= -i<5(l,l,2,2) 

= -<5(1,0, w) 



= -Ax (i<5(l,0,l) + ^<5(l,0,2) 



1 
4 
25 



The second bias is similarly proved from <5(1, 0,0, 0,0,1) = — 



256 ’ 



□ 



Also, we computed all £-tuple biases for £ < 26 and found that <5(1, 1, 1, 1, 1), 
<5(1, 0, 0, 0, 0, 1) are the only largest ones. All biases for £ = 6 are listed in Ta- 
ble 14, Appendix C. Throughout the paper we let 

25 



7 = 5(1,0,0,0,0,1) = -<5(1,1,1,1,1) = 



256 
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4 A Primary Distinguisher for EO 

4.1 The Connection Polynomial of the Equivalent Single LFSR 

Let 9i be the order of the connection polynomial Pi{x) of Ri, for i = 1, 2,3,4- 
Since all Pi{x) are primitive polynomials, 9i = 2^' — 1; furthermore, by Lemma 
6.57 of [18, p.218] , the equivalent LFSR to generate the same sequence of the sum 
of the four original LFSRs outputs over GF(2) has the connection polynomial 
with order 9 = lcm(0i, 6*2, 03, 6*4) « 2^^® (by Lemma 6.50, [18, p.214]) 
and degree L = Ylt=i ~ 

4.2 Finding the Multiple Polynomial with Low Weight 

Let do be the degree of a general polynomial p{x). We use the standard approx- 
imation to estimate the minimal weight Wd of multiples of p{x) with degree at 
most d by the following constraint: Wd is the smallest w such that 

X f ^ 1 ) > 1- (5) 

2^0 yw — 1 j ^ ' 

Listed in Table 3 is the estimated^ Wd corresponding to d with p{x) = rii=i Pi(^) 
(do = 128) by solving Inequality (5). 

To find multiples with low weight, efficient algorithms like [4] exist provided 
the degree is low, say, less than 2000, which does not apply to EO. So we can use 
the conventional birthday paradox to find Q{x) with the minimal d (i.e. w = Wd)-, 
which takes precomputation time PT « ); or we apply the generalized 

birthday problem [29] to find Q{x) of same weight but higher degree with much 
less precomputation as tradeoff. Table 4 compares the two algorithms. In Ap- 
pendix B, we also provide some non-optimal multiples as examples, including 
<54(2:) with w = 4 and d « 2®®. 

Table 3 . The estimated minimal weight Wd of multiples of pi{x)p2{x)p3{x)p4{x) with 
degree d by (5) 



d 


128 


247 


458 


855 


1749 


2387 




2^3 


2^' 


2^3 


2^ 


2bb 


9 


Wd 


= 49 


« 31 


« 24 


« 20 


« 17 


« 16 


« 9 


« 7 


« 6 


« 5 


« 4 


« 3 


= 2 



4.3 Building a Uni-Bias-Based Distinguisher for EO 

Let Q{x) = 2;'^' be the normalized multiple of with degree d 

and weight w, where 0 = gi < (72 < ■ • ■ < = d. As (Bf^iVto+qi = ^ holds for 

all to, by Eq.(l), we deduce 

®i=li^to+qi+5 ® Zto+qi) = ®i=l(Cj|j_|_g._|_5 ® ). (6) 

® Two special cases occur for d = do and d — 9 because we know the exact value of 
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Table 4. Complexity of finding multiple of pi(x)p 2 (x)p 3 (x)p 4 (x) with degree d, 
weight w 





birthday problem 




with minimal d 


tradeoff 


d 


w 


2^ 


'W 












w 


9 


7 


6 


5 


4 


3 


9 


5 


log2 PT 


72 


69 


68 


66 


66 


65 


35 


45 



By the Piling-up Lemma [20] and Corollary 7, we know the right-hand side 
of Eq.( 6 ) is equal to zero with probability ^ + 5 • 7 ™- With standard linear 
cryptanalysis techniques, we can distinguish the keystream {zt} of EO from a 
truly random sequence with ™ samples, simply by checking the left-hand 
side of Eq.( 6 ) equals zero most of the time. Based on Q(x) with d and w, we 
minimize the data complexity n by choosing n = ™ ^ Table 5 shows the 

minimum n = 2^^ is achieved with d = 2^^, w = 5. Table 6 summarizes the 
best performance of our primary distinguisher for EO based on either the use of 
Qi{x) with weight 4 in Appendix B, or a search of Q{x). 

Table 5. Data complexity of the primary distinguisher for EO 



d 


L 


247 


458 


855 


1749 


2387 


2^ 


2^3 


2^1 


2-i-i 


2^ 


2bb 


2-i2 




w 


49 


31 


24 


20 


17 


16 


9 


7 


6 


5 


4 


3 


9 


5 


logjU 


329 


209 


162 


135 


115 


108 


61 


47 


41 


34 


44 


65 


61 


43 



Table 6. Summary of the best primary distinguisher for EO 



Type 


d 


w 


Precomputation 


Data Time 


use Q{x) = Q 4 {x) 


2&b 


4 


- 


2bb 


find Q{x) 
with 


minimal d 


2^3 


5 


2bb 


2^4 


tradeoff 




5 


7® 


2^3 



5 The Advanced Multi-bias-Based Distinguisher for EO 

5.1 Preliminaries 

Definition 8. Given f,g : GF{2Y R, for a G GF{2Y, we define 

1. if ® g){a) = /(^) ■ 5(a ® b); /®’"(a) = (/ 0 • • • ® /)(«) 

b&GF{2Y 

2. f{a) = E 

beGF{2)‘ 

3 - ll/ll = / E 

y aeGF(2y 
^ 1 

A{f) = 22 11/ — ^ • 1||, where 1 denotes a constant function equal to 1 
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Note that the first two definitions correspond to convolution and Walsh trans- 
form respectively. We recall these basic facts: for any f,g : GF(2)^ — > R, we 
have 

- / ® 5 ( 0 ) = /(a) • g(a), for a G GF{2Y; 

- 2w = \\ir-, 

— if / is a distribution, i.e. J2a /(“) = ^ /(®) — ^ ^ GF(2)^, then 

the distribution of the XOR of w i.i.d. random vectors with distribution / 
is Z®’", moreover, A'^(f) = 

— If the random Boolean variable A follows the distribution /, then A{f) = 
A{A), where A{A) is defined in Definition 4. 



5.2 An Efficient Way to Deploy Multi-biases in EO Simultaneously 

Given a linear mapping h : GF(2)^ — > GF{2Y of rank r, we define r-bit vectors 
At = h{c ^^, . . . , and Bt = (Bf^^At+q.. Note that Bt can be derived from 

the keystream {zt} directly. Except for accidentally bad choices of h, we make 
a heuristic assumption that all Aj’s are independent. Let T> be the probability 
distribution of the Gbit vector (c°j, . . . , and let T>a be the probability 

distribution of the r-bit vector At- The Walsh transforms of T>a and T> are linked 

by 

VA{b) = V {h\b)) , for all b G GF(2)’'. 

Now we discuss how to design h in order to reduce data complexity. From 
Baigneres [2, Theorem 3, p.lO], we know that we can distinguish a distribution 
/ of r-bit random vectors from a uniform distribution with 1/Z\^(/) samples. 
Here, the distribution of Bt is f = So the modified distinguisher needs 

data complexity 

'■ = 

Let k be the number of the largest Walsh coefficients T>A{b) over all nonzero b 
with absolute value^ ry. Since A^{T>JY’) ~ krY'" , we obtain 

n « ^ 77 - 2 ™ -k d. 
k 

In order to lower n, it’s necessary to have r < k. This implies the k largest 
coefficients are linearly dependent, which happens to be true in EO: recall that 
the 6-bit vectors of the three largest biases satisfy the linear relation, 

( 1 , 1 , 1 , 1 , 1 , 0 ) ©( 0 , 1 , 1 , 1 , 1 , 1 ) = ( 1 , 0 , 0 , 0 , 0 , 1 ). 

As a simple solution we may just pick £ = 6, r = 2, oi = (1, 1, 1, 1, 1, 0) 
and 02 = (0, 1, 1, 1, 1, 1) (where at denotes the f-th row of h), then we obtain 

Note that from Subsection 4.3 we have < 7 for £ < 26 regardless of r and h. 



4 
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fc=3. And n is reduced to a factor of | for negligible d. Indeed, recall that we 
proved by computation that the largest Walsh coefficient for £ < 26 are either 
(0,. . .,0,1, 1,1, 1,1,0,. . .,0) or (0,. . .,0,1,0,0,0,0,1,0,. . .,0). Thus k < (£-4) + (£-5) = 
2i — 9. This leads to a more general solution, if we pick £ = r + 4, and the i-th 
row of h as 



ai = ( p, . , 0 , 1, 1, 1, 1, 1, p, ■ - : P ) for i = 1, . . . , r, 

2—1 zeros i—i—4 zeros 

then we obtain k = 2r — 1. And so the improved factor of data complexity 
tends to ^ for negligible d when r goes to infinity; however, because of the 
underlying assumption for EO, £ is restricted to no larger than 26, i.e. r < 22. 
To conclude, we show that the modified distinguisher (Algorithm 1) needs data 
complexity 

n « • + d, for 1 < r < 22. (7) 

2r — 1 

Observe that Section 4 actually deals with the special case of r = 1. Table 7 
shows the best improvement achieved with r = 22. We see that the minimum n 
drops from previous 2^'^ to 2^^. 



Algorithm 1 The advanced distinguisher for EO 
Parameters: 

re [l,22],£ = r + 4 
h : GF{2f GF{2Y 

T>a- the probability distribution of the r-bit vector At 

Q{x) — the multiple polynomial of Pi{x)p 2 {x)p 3 {x)p 4 ,{^) with degree d 

n: the sample size by Eq.(7) 

Input: 

keystream zqZi ■ ■ ■ Zn-i of either a truly random source 5o or the output 5i generated 
by EO 

initialize counters uq,ui, , U 2 '--i 
for t = 0, 1, . . . , - 1 do 

compute b = ®Ylh{^rt + qi, ■ ■ ■ , Zrt+qt+t-l) 
increment ut, 

end for 

if J2b ■ loS (s’" • 22®” (6)) > 0 then 
accept 5i as the source 
else 

accept 5o as the source 

end if 



6 A Maximum Likelihood Decoding Algorithm 

We restate the MLD problem for a general linear code (see [19] for details) 
of length n and dimension L with generator matrix G (let Gt denote the t-th 
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Table 7. Data complexity of the advanced distinguisher for EO 



d 


L 


247 


458 


855 


1749 


2387 


2^ 


2^3 


2^1 


2-i-i 


2^ 


2bb 


2-i2 




w 


49 


31 


24 


20 


17 


16 


9 


7 


6 


5 


4 


3 


9 


5 


logjW 


328 


208 


161 


134 


114 


107 


60 


46 


40 


33 


44 


65 


60 


43 



column vector of G): find the closest codeword (xi, . . . , cc„) to the received vector 
(si, . . . , s„), and decode the message r = (ri, . . . , tl) such that Xt = rGt, i.e. 
find such r that minimizes iV(r) = ® a;*)- 

6.1 The Time-Domain Analysis 

Obviously, the trivial approach (yet common in most correlation attacks) to 
find r is an exhaustive search in time-domain: for every message r, we compute 
the distance N{r) and keep the smallest. The final record leads to r. The time 
complexity is 0(n • 2^) with memory n-bits. 

6.2 The Frequency-Domain Analysis 

We introduce an integer-valued function, 

W{x)= Y. (8) 



for all X G GF{2)^, where T denotes the matrix transpose. We compute the 
Walsh transform VV of W as follows: 

n n 

W(r)= Y (-l)'”“>V(a;) = ^(-1)"*®'’'='* =n-2A(r). 

x&GF{2)^ t=l t=l 

We thereby reach the theorem below. 

Theorem 9. 

N{r) = ^{ri- W(r)) , 

for all r € GF{2)^ , where W is defined by Eq.(8). 

This generalizes the result [19, p. 414] of a special case when n = 2^ and Gj 
corresponds to the binary representation of t. So we just compute the table 
of W, perform FWT [30], and find the maximal yV(r). The time and memory 
complexities of FWT are 0{L-2^), 0{2^) respectively. Since the precomputation 
of W takes time 0{n) with memory 0{n), we conclude that our improved MLD 
algorithm runs in 0{n + L ■ 2^) with memory 0(2^) (additionally, using linear 
transformation allows to compute FWT over GF{2)^ with memory 0(2^) where 
k = [log 2 n] ). Note that when n> 2^, the time complexity corresponds to 0{n), 
which is optimal in the sense that it stands on the same order of magnitude 
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as the data complexity does. Table 8 compares the original exhaustive search 
algorithm with the improved frequency transformation algorithm. Note that the 
technique of FWT was used in another context [7] to speed up other kinds of 
fast correlation attacks. In the next section we will see how it helps to speed up 
the attack [10] by a factor of 2^^. We estimate similar correlation attacks like [6] 
can be speeded up by a factor of 10; undoubtedly, some other attacks can be 
significantly improved by our algorithm as well. 



Table 8. Maximum likelihood decoding algorithms 





time 


memory 


Exhaustive Search 


n ■ 2^ 


n 


Frequency Transformation 


n + L • 2^ 


min(n, 2^) 



6.3 A More Generalized MLD Algorithm 

We further generalize the preceding problem by finding the L-bit vector r such 
that given a sequence of (.-hit vectors S\,. . . ,Sk and / : GF(2)^ — > R together 
with matrices Gi , . . . , Gfc of size L by the sequence of Gbit vectors Ai , . . . , 
defined by Xt = rG* minimizes N{v) = X)t=i © Xt). Note that previous 
subsections are merely a special case of £ = 1, fc = n and /(a) = a for a G GF{2). 
Define a real function W by: 

l<t<k,aGGF(2y-.aGj =x 

for all X € GF{2)^ . We compute the Walsh transform Vv of W as follows: 

W(r) = E 

xGGF{2)^ 

= ^E E 

aGGF{2y 

k 

^Y^f{vGt®St) 

= N{v). 

Algorithm 2 directly follows above computation. The total running time of our 
algorithm is 0{k£L2^ + L2^) with memory 0 ( 2 ^). To speed up the computation 
of W, we could precompute the inner products of all pairs of Gbit vectors in 
time 0 ( 2 ^^) with memory 0 ( 2 ^^). Thus, the total running time of the algorithm 
is 0{2^^ + kL2^ + L2^) with memory 0(2^^ + 2^). 
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Algorithm 2 The generalized MLD algorithm 
Parameter: 

fJ 

Input: 

G = (Gi, . . . , Gk) : the generator matrix 
vector stream Si, S' 2 , • • • , Sk 

Processing: 

apply FWT to compute the table of / 
initialize the table of W to 0 
for all f-bit a do 
for t — 1, . . . ,k do 

increment W{aGj) by ^(— l)“'®*/(a) 

end for 
end for 

apply FWT to find r that achieves the minimal VV(r) 
output r 



In the special case that is applicable to EO (as is done in the next section): 
Gt+i = AGt for t = we precompute another table to map any L- 

bit vector x to xA^ . It takes time 2^ with memory 2^. The total time of the 
algorithm is thus O (2^^ + (L + k) 2^ + L2^), with memory 0(2^^ + 2^). 

7 The Key-Recovery Attack Against EO 

We approach similarly as in [10] to transform our distinguisher of Subsection 4.3 
into a key-recovery attack. Our main contribution, however, is to decrease the 
time complexity by applying the preceding algorithm. 

Let Q{x) = 2 ^^* t)® fh® multiple polynomial of P 2 {x)p 3 {x)p 4 {x) with 

degree d and weight w. Using techniques in Subsection 4.2 to find Q{x) with 
(precomputation) complexity PG, we list the corresponding triplets (w, d, PG) 
for small w in Table 9. 

Table 9. Complexity of finding multiple of p 2 {x)p 3 {x)p 4 {x) with degree d, weight w 





birthday problem 


with min. d 


tradeoff 


weight w 


5 


4 


3 


2 


5 


degree d 




w 


w 


jron- 




Precomputation PG 




2^ 




- 





Let be a guess for , the initial state of i?i which generates the keystream 
{zt} together with the other three fixed LFSRs. Denote xl the output bit of Ri 
with the initial state x^ at time t. We define 



6t(x^) = ©)ii(zt+g, © Zt+q,+5) © ®7=l{x]+q^ © xl+g^+ 5 ) . 



(9) 
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It can be shown that the second addend in Eq.(9) is also an m-sequence generated 
by the same LFSR. For brevity, we set 

St — 0 -^t+gi+s); 



for t = 1, . . . , n (it corresponds to the data complexity n + d). We rewrite Fq.(9) 
as 

6t(x’-) = St © n- 



Given n-bit sequence of 6f(x^)’s, we count the occurrences® iV(x^) of ones, i.e. 
-/V(x^) = J27=o Using the analysis of [28], we estimate A^(x^) is the 

smallest of all A^(x^) with 



n 



4Li log 2 



7 



2w 



( 10 ) 



Note that this estimated figure is actually comparable to the conventional esti- 
mation [6, 16] on critical data complexity uq in correlation attacks, where 



no 



L\ 



2Fi log 2 

r^2w ’ 



( 11 ) 



and h is the binary entropy function®. According to [ 6 ] simulations showed the 
probability of success is close to 1 (resp. 5 ) for n = 2no (resp. n = no) which is 
consistent with our analysis. Table 10 shows our estimated minimal n for TV(x^) 
to achieve a top rank corresponding to w. Now define Gt = (aq, . . . , aii_i)®^, 
where ao + aix+- • ■ + = a;* mod pi{x). Clearly our current problem 

to recover Ri right fits into the MLD problem in Subsection 6.2. So we use 
the preceding MLD algorithm to recover r first, then apply linear transform to 
solve x^. Finally we conduct the same analysis as in Section 5 to decrease data 
complexity down to x ^ ) ; and we apply the technique introduced 

in Subsection 6.3 to obtain the reduced time complexity 0{n + 6 *i • 2'' + Li • 2^^). 
So, choosing r = 12, we can halve the time and data complexities. The attack 
complexities to recover i?i for FO are listed in Table 11. Once we recover i?i, we 
target R 2 next based on multiple of P 3 {x)p 4 {x) . Last, we use the technique of 
guess and determine in [ 11 ] to solve R 3 and R 4 with knowledge of the shortest 
two LFSRs. The detailed complexities of each step are shown in Table 12. A 
comparison of our attacks with the similar attack^ [ 10 ] and the best two algebraic 
attacks [1,8] is shown in Table 13. 



® w is fixed in the attack, so we omit it in the notation A(x^). 

® h{p) = -plog^p- (1 -p)log 2 (l -p) for 0 <p < 1. 

^ The estimate of data complexity in [10] uses a different heuristic formula than ours. 
However we believe that their estimate and ours in Attack B are essentially the 



same. 
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Table 10. The estimated minimal n for A’(x^) to top the rank from Eq.(lO) 



weight w 


5 


4 


3 


2 


1 


n 


2^ 


2^ 


'W 







Table 11. Summary of primary partial key-recovery attacks against Ri for EO 





w 


d 


n 


data 


precomputation 


time 


memory 


Attack A 


5 




2^y 


2^9 


23b. 3 


2^9 


2^5 


Attack B 


4 




2^ 




2^3 




2^3 



Table 12. Detailed complexities of our key-recovery attack against EO 





w 


d 


n 


data 


precomputation 


time 


memory 


Ri 


5 


2^4.3 


2^9 


2^9 


233.3 


2^9 


29b 


R2 


3 








2^7 






Rs and Ra 


- 


- 


- 


76 


- 


~2^~ 


- 


total 


- 


- 


- 


2^9 


2-ii 


2^9 


29/ 



Table 13. Complexities comparison of our attacks with the similar attack and algebraic 
attacks 





Precomputation 


Time 


Data 


Memory 


Algebraic 

Attacks 


[1] 


- 


237.58 


2'2'A.O'/ 


243.14 


[8] 


2^5 


-239- 


^9373- 




Attack [10] 


2b4 


2bb 


244 


244 


Our 

Attacks 


A 


2b/ 


2b9 


249 


29/ 


B 


2^53 


2'"' 


2’'° 


2^7 



8 Conclusions 

This paper formulates a systematic computation method of correlations by a 
recursive expression, which makes it easier to calculate correlations of the FSM 
output sequences up to 26 bits for EO (and allows us to prove for the first time 
that the two known biases are the only largest). Then we successfully apply the 
concept of convolution to the analysis of the distinguisher based on all corre- 
lations, which allows us to build an efficient distinguisher that halves the data 
complexity of the basic uni-bias-based distinguisher due to the linear dependency 
of the two largest biases. Finally, by means of FWT, we propose a novel MLD 
algorithm to recover the closest codeword for any linear code. Our proposed 
algorithm can be easily adapted to speed up a class of fast correlation attacks. 
Furthermore the algorithm is optimal when the length n of the code and the 
dimension L satisfy the relation n > 2^, which is the case when we apply it to 
recover R\ for EO. This results in the best known key-recovery attack against 
EO. Considering a maximal keystream length of 2745 bits for practical EO in 
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Bluetooth, our results still remain the academic interest. Meanwhile, our attack 
successfully illustrates the attack methodology of Baigneres et al.® 
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Appendix 

A. Proof of Lemma 5 

Let Z G GF{2)^ be a random variable independent of X with uniform distribu- 
tion. We have 

A{f{X, Z)®wZ)- A{w ■ g(Y) © r; • Y) 

W 

W 

w^x^y^z 

= 2'^-Y Pi'(^ = x,Z = g{y)) ■ Pr(Y = y) ■ 

x,y 

= ^Pr(a;,y) • (-l)fi^Mym^-y 

x,V 

which is A{f{X,g{Y)) © n • F). 

B. Examples of Multiple Polynomials Q{x) 

Example of Q{x) with Low Degree. Here is a multiple polynomial of degree 
less than 855 with weight 31: 
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Observe that Q\(x) is not optimal as wsss = 20 from Table 3. 

Examples of Q{x) with Weight Four. Recall that 6i = — 1 is the 

order of Pi(a;) for i = 1,2, 3, 4- By definition, pi{x)\x^' + 1. On the other hand, 
Pi{x)pj{x)\lcm{x^' + l,x^^ + 1) = + 1 for z j, hence we deduce the 

following three multiple polynomials of p{x) with weight 4 with ease: 

Q2{x) = + l)(:rWe3,e4) ^ 

Qsix) = + i)(^icm(e2.e4) + 

Qiix) = + i)(^icm(e2.e3) + 1 )^ 

where 

lcm(6»i, 02) = 2^6 - 231 _ 225 lcm(0i, 0a) = 238 _ 233 _ 225 

lcm(0i,04) = 2^4 - 239 _ 225 X, lcm(02,03) = 2^4 - 233 _ 231 

lcm(02, 04) = 2™ - 239 _ 231 lcm(03, 04) = (239 _ ;l) YY 2^^ 

The degrees of Q2{x),Q3{x),Q4{x) are approximately 239,2™, 2^3 respectively. 
Note that we may also expect optimal multiples with degree in the same order 
of magnitude and weight 3. 
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C. Table of log 2 |X>(a)| for i — Q 



Table 14. logj |T>(ct , Ct+i, . . . , c?+ 5 )| where dashed entries denote — oo 
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Abstract. In this paper, we show that a key encapsulation mechanism 
(KEM) does not have to be IND-CCA secure in the construction of hy- 
brid encryption schemes, as was previously believed. That is, we present a 
more efficient hybrid encryption scheme than Shoup [12] by using a KEM 
which is not necessarily IND-CCA secure. Nevertheless, our scheme is 
secure in the sense of IND-CCA under the DDH assumption in the stan- 
dard model. This result is further generalized to universal projective 
hash families. 
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1 Introduction 

1.1 Background 

Cramer and Shoup showed the first provably secure practical public-key encryp- 
tion scheme in the standard model [3,6]. It is secure against adaptive chosen 
ciphertext attack (IND-CCA) under the Decisional Difhe-Hellman (DDH) as- 
sumption. They further generalized their scheme to projective hash families [4]. 
(In the random oracle model [1], many practical schemes have been proven to 
be IND-CCA, for example, OAEP-b [13], SAEP [2] , RSA-OAEP [8], etc. [7]. 
However, while the random oracle model is a useful tool, it does not rule out all 
possible attacks.) 

On the other hand, a hybrid encryption scheme uses public-key encryption 
techniques to derive a shared key that is then used to encrypt the actual messages 
using symmetric-key techniques. 

For hybrid encryption schemes, Shoup formalized the notion of a key en- 
capsulation mechanism (KEM), and an appropriate notion of security against 
adaptive chosen ciphertext attack [12,6]. A KEM works just like a public key 
encryption scheme, except that the encryption algorithm takes no input other 
than the recipient’s public key. The encryption algorithm can only be used to 
generate and encrypt a key for a symmetric-key encryption scheme. (One can 
always use a public-key encryption scheme for this purpose. However, one can 
construct a KEM in other ways as well.) A secure KEM, combined with an ap- 
propriately secure symmetric-key encryption scheme, yields a hybrid encryption 
scheme which is secure in the sense of IND-CCA [12]. 

M. Franklin (Ed.): CRYPTO 2004, LNCS 3152, pp. 426-442, 2004. 

© International Association for Cryptologic Research 2004 
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Shoup presented a secure KEM under the DDE assumption [12]. As a result, 
his hybrid encryption scheme is secure in the sense of IND-CCA under the DDE 
assumption in the standard model [12]. 

1.2 Our Contribution 

In order to prove the security of hybrid encryption schemes, one has believed 
that it is essential for KEM to be secure in the sense of IND-CCA, as stated in 
[6, Remark 7.2, page 207]. 

In this paper, however, we disprove this belief. That is, it is shown that 
KEM does not have to be CCA secure, as was previously believed. On a more 
concrete level, we present a more efficient hybrid encryption scheme than Shoup 
[12] by using a KEM which is not necessarily secure in the sense of IND-CCA. 
Nevertheless, we prove that the proposed scheme is secure in the sense of IND- 
CCA under the DDE assumption in the standard model. 

In a typical implementation, the underlying Abelian group may be a subgroup 
of Z*, where p is a large prime. In this case, the size of our ciphertexts is |p| bits 
shorter than that of Shoup [12]. The number of exponentiations per encryption 
and that of per decryption are also smaller. (Eurther, our scheme is more efficient 
than the basic Cramer-Shoup scheme [3,6].) 

This shows that one can start with a weak KEM and repair it with a hy- 
brid construction. Eventually, more efficient hybrid encryption schemes could be 
obtained. 

Our KEM is essentially a universal 2 projective hash family [4]. We present a 
generalization of our scheme to universal 2 projective hash families also. 

The only (conceptual) cost one pays is that one needs to assume a simple 
condition on the symmetric encryption scheme. Namely, any fixed ciphertext is 
rejected with overwhelming probability, where the probability is taken over keys 
K. This property is already satisfied by the symmetric encryption scheme SKE 
which is used in the hybrid construction of Shoup [12]. Eence the SKE can be 
used in our hybrid construction too. 

Our result gives new light to Cramer-Shoup encryption schemes [3, 4, 6] and 
opens a door to design more efficient hybrid encryption schemes. 

2 Preliminaries 

We denote by A a security parameter. PPT denotes probabilistic polynomial 
time. 



2.1 Notation and Definitions 

I S' I denotes the cardinality of S if S is a set. |m| denotes the bit length of m 
if m is a string or a number. If A(-, •,•••) is a probabilistic algorithm, then 

X ^ A{x\ ,X2,- ■ ■) denotes the experiment of running A on input X\,X2, - ■ ■ and 
letting X be the outcome. If S is a set, x ^ S denotes the experiment of choosing 
X £ S at random. 
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2.2 Public-Key Encryption Scheme (PKE) 

A public-key encryption scheme is a three tuple of algorithms PKE = (/Cp, Sp,T>p). 

The key generation algorithm ICp generates a pair (pk, sk) /Cp(l^), where pk 
is a public key and sk is a secret key. The encryption algorithm £p takes a public 

key pk and a plaintext m, and returns a ciphertext c •<— £p(pk,m). The decryp- 
tion algorithm Vp takes a secret key sk and a ciphertext c, and returns m or 
reject. 

The chosen plaintext attack (IND-CPA) game is defined as follows. We imag- 
ine a PPT adversary A that runs in two stages. In the “find” stage, A takes a 
public key pk and queries a pair of equal length messages mo and mi to an 
encryption oracle. The encryption oracle chooses b •<- {0, 1} and computes a 
challenge ciphertext c* of mb randomly. In the “guess” stage, given c*, A out- 
puts a bit b and halts. 

The adaptive chosen ciphertext attack (IND-CCA) game is defined similarly. 
The difference is that the adversary A is given access to a decryption oracle, 
where A cannot query the challenge ciphertext c* itself in the guess stage. 

Definition 1. We say that PKE is secure in the sense of IND-CCA if \ Pr(6 = 
b) — 1/2| is negligible in the IND-CCA game for any PPT adversary A. 

In particular, we define the IND-CCA advantage of A as follows: 

Adv^|<“E(^) = |Pr(& = &)-l/2|. (1) 

For any t and qd, define AdVp'J^^(t, = max^ AdVp'J^p(A), where the maxi- 
mum is taken over all A which runs in time t and makes at most qd queries to 
the decryption oracle. 

2.3 Diffie-Hellman Assumptions 

Let G be an Abelian group of order Q, where Q is a large prime. Let g\ be a 
generator of G. Let 

DH = {{gi,g 2 ,g{,g 2 ) I r G ZQ,g 2 = gi,w G Zq} 

Random = I D e e ZQ,g 2 =gf,wG Zq} 

The decisional DifEe-Hellman (DDE) assumption claims that DH and Random 
are indistinguishable. 

For a distinguisher D, consider the following two experiments. In experiment 

0, let (<7i, < 725 ^ 1 ,^ 2 ) DH. In experiment 1, let (<7i, 525 ^ 1 ,^ 2 ) Random. 
Define 

Adv^‘''*(D) = |po -Pi|, 

where 

Po = Pr(D = 1 in experiment 0), pi = Pr(D = 1 in experiment 1) 

For any t, define Advg'^^(t) = max^ Advg'^^(D), where the maximum is taken 
over all D which runs in time t. 
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2.4 Target Collision Resistant Hash Function 

The notion of target collision resistant TCR family of hash functions was shown 
by Cramer and Shoup [6]. It is a special case of universal one-way hash function 
UOWH family introduced by Naor and Yung [10], where a UOWH family can be 
built from arbitrary one-way functions [10, 11]. 

In a TCR family, given a randomly chosen tuple of group elements a; (g G” for 
some n) and a randomly chosen hash function R, it is infeasible for an adversary 
A to find y ^ X such that H(x) = H{y). (In a UOWH family, x is chosen by the 
adversary.) In practice, one can use a dedicated cryptographic hash function, 
like SHA-1. Define 

Advjclf (A) = Pr(A succeeds). 

For any t, define Advj^p^(t) = max^ AdVj^R^(yl), where the maximum is taken 
over all A which runs in time t. 

3 Previous Results on KEM 

It is known that by combining a KEM and a one-time symmetric encryption 
scheme which are both secure in the sense of IND-CCA, we can obtain a hybrid 
encryption scheme which is secure in the sense of IND-CCA. 

3.1 KEM [12][6, Sec.7.1] 

A key encapsulation mechanism KEM consists of the following algorithms. 

— A key generation algorithm KEM. Gen that on input 1^ outputs a pub- 
lic/secret key pair (pk,sk). 

— An encryption algorithm KEM.Enc that on input 1^ and a public key pk, 

outputs a pair where K is a key and ip & ciphertext. 

A key K is a bit string of length KEM.Len(A), where KEM.Len(A) is another 
parameter of KEM. 

— A decryption algorithm KEM. Dec that on input 1^, a secret key sk, a string 
(in particular a ciphertext) tp, outputs either a key K or the special symbol 
reject. 

KEM.Gen and KEM.Enc are PPT algorithms and KEM. Dec is a deterministic 
polynomial time algorithm. 

In the chosen ciphertext attack (IND-CCA) game, we imagine a PPT adver- 
sary A that runs in two stages. In the find stage, A takes a public key pk and 
queries an encryption oracle. The encryption oracle computes: 

(K*,tP*) ^ KEM.Enc(l^);K+ ^ {0, l}*;r ^ {0, 1}; 
if r = 0 then ^ K* else iCf ^ K+ 

where k = KEM.Len(A), and responds with the pair {K\ip*). In the guess stage, 
given {K^-ip*), the adversary A outputs a bit f and halts. 
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The adversary A is also given access to a decryption oracle. For each decryp- 
tion oracle query, the adversary A submits a ciphertext ip, and the decryption 
oracle responds with KEM.Dec(l^,sA:,^/’), where A cannot query the challenge 
ciphertext ip* itself in the guess stage. 

Definition 2. We say that KEM is secure in the sense of IND-CCA if \ Pr(f = 
r) — 1/2| is negligible in the above game for any PPT adversary A. 



3.2 One-Time Symmetric-Key Encryption [6, Sec. 7.2] 

A one-time symmetric-key encryption scheme SKE consists of two algorithms: 

— A deterministic polynomial time encryption algorithm SKE.Enc that takes 
as input 1^, a key K and a message m, and outputs a ciphertext y. 

— A deterministic polynomial time decryption algorithm SKE. Dec that takes 
as input 1^, a key K and a ciphertext y, and outputs a message m or the 
special symbol reject. 

The key K is a bit string of length SKE.Len(A), where SKE.Len(A) is a parameter 
of the encryption scheme. 

In the passive attack game, we imagine a PPT adversary A that runs in two 
stages. In the “find” stage, A takes 1^, and queries a pair of equal length messages 
mo and mi to an encryption oracle. The encryption oracle generates a random 
key K of length SKE.Len(A), along with random a •<- {0,1}, and encrypts mo- 
using the key K. In the “guess” stage, given the resulting ciphertext y*, A 
outputs a bit a and halts. 

In the chosen ciphertext attack (IND-CCA) model, the adversary A is also 
given access to a decryption oracle in the guess stage. In each decryption oracle 
query, A submits a ciphertext y 7 ^ y*, and obtains the decryption of y under 
the key K. 

Definition 3. We say that SKE is secure in the sense of IND-CCA if | Pr(o' = 
cr) — 1/2| is negligible in the IND-CCA game for any PPT adversary A. 

In particular, we define the IND-CCA advantage of A as follows. 

Advi^?E(^) = |Pr(d = a)-l/2|. (2) 

For any t and qd, define (f, = max^ Adv 5 ^“^(A), where the maximum 

is taken over all A which runs in time t and makes at most qd queries to the 
decryption oracle. 



3.3 Construction of SKE 

Shoup showed a construction of a one-time symmetric-key encryption scheme 
as follows [12, page 281]. Let PRBG be a pseudo-random bit generator which 
stretches /-bit strings to strings of arbitrary (polynomial) length. We assume 
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that 1/2* is a negligible quantity. In a practical implementation, it is perfectly 
reasonable to stretch the key Kq by using it as the key to a dedicated block 
cipher, and then evaluate the block cipher at successive points (so called ’’counter 
mode”) to obtain a sequence of pseudo-random bits [6, Sec.7.2.2]. 

Let AXUH be a hash function which is suitable for message authentication, 
i.e., an almost XOR-universal hash function [9]. We assume that AXUH is keyed 
by an /'-bit string and hashes arbitrary bit string to /-bit strings. Many efficient 
constructions for AXUH exist that do not require any intractability assumptions. 

To encrypt a message m by using a key K = (Ko,Ki,K 2 ), we apply PRBG 
to Kq to obtain an |m|-bit string /. Then we compute 

e = f (3) 

a = AXUH(iGi,e)©iG2. (4) 

The ciphertext is x = (e, a), where a is called a tag. (We can generate K by 
applying PRBG to a shorter key.) 

To decrypt % = (e,a) using a key K = (Ko,Ki,K 2 ), we first test if eq.(4) 
holds. If it does not hold, then we reject. Otherwise, we output m = e® f. 



3.4 A Hybrid Construction 

Let KEM be a key encapsulation mechanism and let SKE be a one-time symmetric 
key encryption scheme such that KEM.Len(A) = SKE.Len(A) for all A. Let HPKE 
be the hybrid public-key encryption scheme obtained from KEM and SKE. 

Proposition 1. [6, Theorem 7.2] If KEM and SKE are secure in the sense of 
IND-CCA, then so is HPKE. 



4 Proposed Hybrid Encryption Scheme 

In this section, we show a more efficient hybrid encryption scheme than before 
[12,6] by using a KEM which is not necessarily secure in the sense of IND- 
CCA. Nevertheless, we prove that the proposed scheme is secure in the sense of 
IND-CCA under the DDH assumption in the standard model. 



4.1 Overview 

A KEM works just like a public key encryption scheme, except that the encryp- 
tion algorithm takes no input other than the recipient’s public key. Instead, the 
encryption algorithm generates a pair where K is a key of SKE and xf 

is an encryption of K. The decryption algorithm applied to if yields K. In our 
hybrid encryption scheme, if = (ui,U 2 ) = (gl,g 2 )- 

The notion of IND-CCA is adapted to KEM as follows. The adversary does 
not give two messages to the encryption oracle. Rather, the encryption oracle 
runs the KEM encryption algorithm to obtain a pair {K,‘ip). The encryption 
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oracle then gives the adversary either {K,‘ip) or {K^ , ip), where is an inde- 
pendent random bit string; the choice of K versus depends on the value of 
the random bit b chosen by the encryption oracle. 

Up to now, in order to prove the security of the hybrid encryption scheme, it 
has been believed to be essential for KEM to be secure in the sense of IND-CCA, 
as stated in [6, Remark 7.2, page 207]. 

However, we know of no way to prove that our KEM is secure in the sense of 
IND-CCA. Nevertheless, we prove that the proposed hybrid encryption scheme 
is secure in the sense of IND-CCA. This shows that one can start with a weak 
KEM and repair it with a hybrid construction. Eventually, more efhcient hybrid 
encryption schemes could be obtained. 

A generalization of our scheme to universal projective hash families [4] will 
be given in Sec. 8. 



4.2 e-Rejection Secure 

We require that a one-time symmetric- key encryption scheme SKE satisfies the 
following property: any bit string % is rejected by the decryption algorithm with 
overwhelming probability. Formally, we say that SKE is e-rejection secure if for 
any bit string %, 

Pr(SKE.Dec(l^,K, x) = reject) > 1 — e, 

where the probability is taken over K. 

This property is already satisfied by the one-time symmetric-key encryption 
scheme shown in Sec. 3. 3. Indeed, for any fixed % = (e,a), eq.(4) holds with 
probability 1/2* because K 2 is random. Therefore, this encryption scheme is 
e- rejection secure for e = 1/2*. 



4.3 Proposed Scheme 

The proposed hybrid encryption scheme is based on the basic Cramer-Shoup 
scheme [3,6]. However, it does not use v as the validity check as in [3,6], but 
rather it is used to derive the encapsulated key K. This saves the value h which 
was previously used to encapsulate the key, and one exponentiation encryp- 
tion/decryption. It also makes the public key and the secret key one element 
shorter. 

Let G be an Abelian group of order Q, where is a large prime. Let SKE 
be a one-time symmetric-key encryption scheme. 

Let : G — >■ {0, 1}* be a hash function, where k = SKE.Len(A). We assume 
that H{v) is uniformly distributed over {0, 1}* if v is uniformly distributed over 
G. This is a very weak requirement on H, and we can use SHA-1, for example. 

Key Generation. Generate two distinct generators ( 71,(72 of G at random. 
Choose (xi,X 2 ,yi,y 2 ) G Zq at random. Compute 

c=(7^(72"^ d = gfgf. 
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Finally, a random k indexing a target collision resistant hash function TCR (see 
Sec.2.4) is chosen. The public-key is pk = (gi, g 2 ,c,d, k) and the secret key is 
sk = (xi,X 2 ,yi,y 2 )- 

Encryption. To encrypt a message m, choose r G Zq at random and compute 
ui=g{, U2 = g2,a = JCR(K-,ui,U2), 
u = c^(f", K = H{v), X = SKE.Enc(l^, iF,m). 

The ciphertext is (ui,U 2 ,x)- (In the ciphertext, the KEM part is ip = (ui,U 2 )-) 
Decryption. For a ciphertext C = (ui,U 2 ,x), compute 

a = TCR(/v;ui,U 2 ), u = K = H{v). 

Then decrypt y under K using SKE.Dec, and output the resulting decryption 2 ;. 
{z may be reject.) 

4.4 Security 

Theorem 1. The proposed hybrid encryption scheme Hybrid is secure in the 
sense of IND-CCA under the DDE assumption if SKE is secure in the sense of 
IND-CCA and it is e-rejection secure for negligible e. In particular, 

Adv^ybrid(^.9d) < -I- Mv!^1l^{t2) + kdvf^P^^{t3,qd) + 

where t\,t 2 ,tz are essentially the same as t. 

A proof will be given in the next section. 

4.5 Efficiency Comparison 

In the hybrid encryption scheme of Shoup [12] and in the Cramer-Shoup scheme 

[3], 



- V G G is included in the ciphertext C to check the validity of C. 

- hGG is included in a public-key to generate a key K of SKE. 

In our scheme, on the other hand, 

— u is not included in the ciphertext, but it is used to derive a key K of SKE. 

— his not necessary at all. 

In a typical implementation, the underlying Abelian group G may be a sub- 
group of Z * , where p is a large prime. Table 1 shows an efficiency comparison 
among the proposed hybrid encryption scheme, the hybrid encryption scheme of 
Shoup [12] and the basic Cramer-Shoup scheme [3]. (In the table, a denotes the 
tag of SKE as shown in Sec. 3. 3.) 

We can see that 
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We can see that 

— the size of our ciphertext is |p| bits shorter than that of Shoup [12]. 

— the size of our public-key is \p\ bits shorter than that of Shoup [12]. 

— The number of exponentiations per encryption and that of per decryption 
of our scheme are also smaller. 

Further, our scheme is more efficient than the Cramer-Shoup scheme [3] for 
|m| < 2|p| — |a|. Moreover, in Cramer-Shoup [3] m must belong to G (so |m| < 
IqI), while in ours and Shoup’s [12] m G {0, 1}* (polynomial length). 



Table 1. Efficiency Comparison 





ciphertext 


public-key 


exp/enc 


exp/dec 


Cramer-Shoup [3] 




5|p| ■+ |k| 


5 


3 


Shoup [12] 


3- IpI -t \m\ |a| 


5|p| -1- |k| 


5 


3 


Proposed 


2 • IpI -t \m\ |a| 


4|p| -1- |k| 


4 


2 



5 Proof of Theorem 1 

5.1 Outline 

The following lemma is simple but useful. 

Lemma 1. [6, Lemma 6.2] Let 5'i,5'2 and F be events defined on some proba- 
bility space. Suppose that the event S\ V -iF occurs if and only if S 2 V -iF occurs. 
Then 

|Pr(Fi)-Pr(F 2 )| <Pr(F). 

Let ^ be an adversary who breaks the proposed scheme in the sense of 
IND-CCA. The attack game is as described in Sec. 2. 2. Suppose that the public 
key is (gi,g 2 ,c,d,K) and the secret key is {xi,X 2 ,yi,y 2 )- The target ciphertext 
is denoted by C* = (u^,U 2 ,x*)- We also denote by r*,a*,v*,K* the values 
corresponding with r, a, v, K related to C*. 

Suppose that A queries at most q\ times to the decryption oracle in the find 
stage, and at most Q 2 times to the decryption oracle in the guess stage, where 
qd = qi + We say that a ciphertext C = (ui,U 2 ,x) is valid if u\ = g{ and 
U 2 = P 2 some r. Otherwise, we say that C is invalid. 

Let log(-) denote loggj(-) and let w = log ( 72 • Then 

log C = Xi-\- WX 2 (5) 

\ogd = yi -\- wy2 (6) 

Let Go be the original attack game, let b G {0, 1} denote the output of A, 
and let Tq be the event that 6 = 6 in Gq. Therefore, 

Advff;bnd(^) = |Pr[To]-l/2|. 
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We shall define a sequence Gi, • • • , of modified attack games. For any 
1 < i < £, we let Ti be the event that h=hm game Gi. 

In game Gi, we modify the encryption oracle as follows: v* = c^*cT*"* is 
replaced by 



V 



* 









This change is purely conceptual, and Pr[Ti] = Pr[To]. 

In game G2, we modify the encryption oracle again, so that (ul,U2) is re- 
placed by a random pair (gl ^ , ) with 7^ r| • Under the DDK assumption, 

A will hardly notice, and | Pr[T2] — Pr[Ti]| is negligible. More precisely, we have 



Lemma 2. There exists a PPT algorithm A\, whose running time is essentially 
the same as that of A, such that 

I Pr[T2] - Pr[Ti]| < Adv^^'*(Ai) + 3/Q. 



The proof is the same as that of [6, Lemma 6.3]. 

In game G3, we modify the decryption oracle, so that it applies the following 
special rejection rule: In the guess stage, if the adversary submits a ciphertext 
(ui,U2) 7^ (ul,U2) but a = a*, then the decryption oracle immediately outputs 
reject and halts. Let R3 be the event that the decryption oracle in game G3 
rejects a ciphertext using the special rejection rule. It is clear that games G2 
and G3 proceed identically until the event R3 occurs. In particular, the event 
T2 A -ii?3 and T3 A ^Rs are identical. So by Lemma 1, we have 



|Pr[T3]-Pr[T2]| <Pr[i?3j. 

Lemma 3. There exists a PPT algorithm A2, whose running time is essentially 
the same as that of A, such that 

Pr[i?3] < Adv^^|,'‘(A2) + 1/Q. 

The proof is the same as that of [6, Lemma 6.5]. 

In game G4, we modify the decryption oracle, so that it rejects all invalid 
ciphertexts C in the find stage. Let i?4 be the event that a ciphertext is rejected 
in G4 that would not have been rejected under the rules of game G3. It is 
clear that games G3 and G4 proceed identically until the event R4 occurs. In 
particular, the event T3 A -ii?4 and T4 A -ii?4 are identical. So by Lemma 1, we 
have 

|Pr[T4]-Pr[T3]| <Pr[i?4]. 

Lemma 4. Pr[i? 4 ] <qi-e. (For the proof, see Section 5.2.) 

In game G5, we modify the encryption oracle as follows. (ul,U2) = (?2^) 

is randomly chosen in such a way that an event i?s does not occur, where i?s is 
the event that = (ui,U2) for some invalid ciphertext (ui,U2,x) which A 

queries in the find stage. It is clear that the event T4 A -1R5 and T5 A -1R5 are 
identical. So by Lemma 1, we have 



|Pr[T5]-Pr[T4]| <Pr[i?5]. 
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Lemma 5 . Pr[i?5] < q\/Q. (For the proof, see Section 5 . 3 .) 

In game Ge, we modify the decryption oracle, so that it rejects all invalid 
ciphertexts C in the guess stage. Let Rq be the event that a ciphertext is rejected 
in Ge that would not have been rejected under the rules of game G5. It is 
clear that games G5 and Ge proceed identically until the event R% occurs. In 
particular, the event T5 A -ii?e and T% A ^R% are identical. So by Lemma 1 , we 
have 

|Pr[T6]-Pr[T5]| <Pr[i?e]. 

Lemma 6. Pr[i?e] < <72 • £• (For the proof, see Section 5 . 4.) 

In game G7, we modify the encryption oracle and the decryption oracle, so 
that K* is replaced by a random key if+. 

Lemma 7 . Pr[Te] = Pr[T7]. (For the proof, see Section 5 . 5 .) 

Lemma 8. There exists a PPT algorithm A^, whose running time is essentially 
the same as that of A, such that 

kdvf^^(A,) = \Pv[Tr]-l/ 2 \. 

For the proof, see Section 5 . 6 . 

From the above results, we immediately obtain that 

Advff;bnd(^3) < Advr (^ 1 ) + Adv^rR"(^2) + Adv^K-^^s) + qd(e + ^) + 

5.2 Proof of Lemma 4 

From the ^’s view, {xi,X2,yi,y2) is a random point satisfying eq.( 5 ) and eq.(6). 
Suppose that A queries an invalid ciphertext (ui,U2,x) to the decryption oracle, 
where loggj(ui) = ri and logg^(u2) = X2 with r\ 7^ r2- Let v = 
where a = TCR(k;ui,U 2)- Then 

logu = r\(x\ + ay\) + r2w(x2 + aj/2)- ( 7 ) 

It is clear that eq.( 5 ),( 6 ) and ( 7 ) are linearly independent. This means that v 
can take any value. In other words, v is uniformly distributed over G. Hence 
K = H{v) is uniformly distributed over { 0 , 1 }*. Now since SKE is e-rejection 
secure, the decryption oracle accepts (ui,U2,x) with probability at most e. Con- 
sequently, we obtain this lemma. 

5.3 Proof of Lemma 5 

For any fixed (ui,U2), 

Pr[{ul,ul) = (ui,U2)] = < 1 /Q 

because (r{,r2) G Zq is randomly chosen in such a way that 7^ r^. 
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5.4 Proof of Lemma 6 



As the worst case, we assume that A knows v*. Then from the A’s view, 
(xi,X2,yi,y2) is a random point satisfying eq.(5), (6) and 

logu* =r*(xi +a*yi) +r2tv(x2 +a*y2). (8) 



In the guess stage, suppose that A queries an invalid ciphertext (ui,U2,x) 
to the decryption oracle, where logui = ri and logU2 = ^2 with ri 7^ r2- Let 
V = where a = TCR(/v;ui,U2)- Then 

logu = ri(a;i + ay\) + r2w(x2 + ay2)- (9) 



Now 



1 0 u) 0 

0 1 0 u) 

rl a*rl wr^ a*wr2 
r\ ar\ wr2 awv2 



uP'irl - r*)(r 2 - ri)(a - a*) 7 ^ 0 



Therefore, eq.(5), (6), (8) and (9) are linearly independent. This means that 
V is uniformly distributed over G. Hence K = H{v) is uniformly distributed 
over {0, 1}*. Now since SKE is e-rejection secure, the decryption oracle accepts 
(ui,U2,x) with probability at most e. 

Consequently, we obtain this lemma. 



5.5 Proof of Lemma 7 

In game Ge, from the A’s view, {xi,X2,yi,y2) is a random point satisfying eq.(5) 
and eq.(6). Further, it is clear that eq.(5),(6) and (8) are linearly independent. 
This means that v* can take any value. In other words, v* is uniformly distributed 
over G. Hence K* = H{v*) is uniformly distributed over {0, 1}*. Consequently, 
we obtain this lemma. 



5.6 Proof of Lemma 8 

We describe Algorithm A3. Algorithm A3 provides an environment for A as 
follows. First, A3 runs the key generation algorithm of Hybrid to generate a 
public-key pk = (gi ,g2,c, d, k) and the secret-key sk = (a;i , a;2 , j/i , 1/2 ) • In partic- 
ular, A3 chooses w £ Zq randomly and computes (72 = gf- It then gives pk to 

A. 

In the find stage, whenever A submits a ciphertext C to the decryption oracle, 
A3 applies the decryption rule of game G7, using the secret-key sk and w. 

When A submits (mo, mi) to the encryption oracle, A3 submits (mo, mi) to 
her encryption oracle. 

The encryption oracle of A3 chooses a random key G {0, 1}* along with 
a random bit a, and encrypts rricr using the key iC+. It then returns the resulting 
ciphertext x* to A3. 
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As generates («^,«2) according to the encryption rule of game G7. It then 
returns the target ciphertext C* = (ul,U2,x*) to A. 

In the guess stage, suppose that A submits a ciphertext C = (ui,U2,x) to 
the decryption oracle. If (ui,U2) 7^ then ^3 applies the decryption rule 

of game G7, using the secret-key sk and w. Otherwise, As queries y to her 
decryption oracle, where the decryption oracle decrypts x by using . As then 
returns the answer to A. 

When A outputs a, As outputs a and halts. That completes the description 
of As. 

It is clear that ^3 perfectly simulates the environment of A. Therefore, 

Pr[T7] = Pr(cr = a). 



On the other hand. 



Advi?|(^) = |Pr(u = u)-l/ 2 |. 



Consequently, we obtain this lemma. 



6 Discussion 

We have argued that a KEM does not have to be CCA-secure in the construction 
of hybrid encryption schemes, as was previously believed. 

In the IND-CCA definition of hybrid encryption schemes, the decryption 
oracle returns the message m for a queried ciphertext C = (^/’,x)5 where 
is the KEM part and x is the symmetric encryption ciphertext. On the other 
hand, in the IND-CCA definition of KEM, the decryption oracle returns the 
symmetric key K for a queried tp. Hence, the IND-CCA definition of KEM is 
too demanding because the decryption oracle reveals much more information 
than the decryption oracle of the hybrid encryption scheme does. 

Then one may consider to define a weaker condition on KEM such that 
when coupled with CCA-secure symmetric encryption (with the extra condition 
of Section 3 . 4 ), it would yield a CCA-secure hybrid encryption scheme. However, 
it seems to be impossible because the security of KEM and that of the symmetric 
encryption scheme are intertwined (as in our scheme). 

7 Hash Proof System 

Cramer and Shoup introduced a notion of Hash Proof System (HPS) [ 4 , 5 ] in or- 
der to generalize their encryption scheme based on the DDH assumption [ 3 ]. By 
using HPS, they showed new CCA-secure encryption schemes under Quadratic 
Residuosity assumption and Paillier’s Decision Composite Residuosity assump- 
tion, respectively. 

In this section, we give the definition of a slight variant of HPS, where e- 
universals is replaced by strongly universal. 
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7.1 Subset Membership Problem [4, 5] 

A subset membership problem Mem specifies a collection {lnstance„}„eN such 
that for every n, Instance^ is a probability distribution over problem instances 
A. Each A specifies the following: 

— Define, non-empty sets, X,L and W such that L C X. 

— A binary relation i? C X x PE such that x £ LiS (x,w) £ R for some witness 
w £W. 

We require that the following PPT algorithms exist. 

1. Instance sampling: samples an instance A according to lnstance„ on 1”. 

2. Subset sampling: outputs a random x £ L together with a witness w £W 
for X on input 1” and A[X, L, W, i?]. 

3. Element sampling: outputs a random x £ X. 

We say that Mem is hard if (A,xo) and (A,xi) are indistinguishable for a 
random xq £ L and a random x\ £ X\L. 

7.2 Projective Hash Family 

Let X and II be finite, non-empty sets. Let F = {/j : X -> iljiG/ be a set of 
functions indexed by I. We call (F, I, X, II) a universal hash family [4, 5]. 

Let L C X. Let 5 be a finite, non-empty set, and let a : 7 5 be a function. 

Set Project = (F, 7, X, L, II, S, a). 

Definition 4. [4, 5] Project = {F, 7, X, L, 77, S, a) is called a projective hash 
family if for all i £ I, the action of fi on L is determinecP by a{i). 

In other words, the value fi(x) is determined by a{i) iix £ L. We next define 
the notion of strongly universal projective hash, a variant of Cramer-Shoup’s 
e-universal 2 projective hash. 

Definition 5. Let Project = (F, 7, X, L, II, S, a) be a projective hash family. 
Consider the probability space defined by choosing i £ I at random. We say 
that Project is strongly universal 2 if 

— for all s G S', a; G X \ L, and tt £ II, 

Pr[fi{x) = 7T I a(i) = s] = l/\n\, 

— and for all s G S, a;, a;* £ X \ L with x ^ x* , and tt, tt* G II, 

Pr[/i(a;) = tt | fi(x*) = tt* A a{i) = s] = 1/|77|. 

Project is strongly universal 2 means that for any x ^ L, the value of fi(x) is 
uniformly distributed over II conditioned on a fixed value of a(i), and it is also 
uniformly distributed over 77 conditioned on fixed values of a{i) and fi{x*) for 
X* ^ L with X* 7 ^ x. 

® For a further clarification, see Section 7.3. 
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7.3 Hash Proof System [4, 5] 

Let Mem be a subset membership problem. A hash proof system (HPS) P for 
Mem associates with each instance A[X, L, W, i?] of Mem a projective hash family 
Project = (F, I, X, L, U, S, a). 

P provides several algorithms to carry out basic operations: i I and com- 
puting a{i) G S given i G I. The private evaluation algorithm for P computes 
fi{x) G n given i G I and x G X. The public evaluation algorithm for P com- 
putes fi{x) G n given a{i) G S,x G X and w G W, where w is a witness for 

X. 



8 Proposed Hybrid Construction Based on HPS 

In this section, we generalize our hybrid encryption scheme of Sec.4.3 by using 
the variant of HPS shown above. Then efficient hybrid encryption schemes are 
obtained which are secure in the sense of IND-CCA under Quadratic Resid- 
uosity assumption and Paillier’s Decision Composite Residuosity assumption, 
respectively, in the standard model. 

8.1 Hybrid Construction 

Let Mem be a subset membership problem and P be a hash proof system for 
Mem. Let SKE be a one-time symmetric-key encryption scheme. 

Key Generation. Generate an instance A[X, L, W, R] using the instance sampling 
algorithm of Mem. Suppose that P associates with A[X,L,W,R] a projective 
hash family Project = (F, I, X, L, II, S, a). Choose i G I at random and compute 
s = a(i). 

The public key is s and the secret key is i. Let H : II ^ {0, 1}* be a hash 
function, where k = SKE.Len(A). We assume that H{v) is uniformly distributed 
over {0, 1}* if v is uniformly distributed over II. This is a very weak requirement 
on H, and we can use SHA-1, for example. 

Encryption. To encrypt a message m, generate x G L at random together with 
a witness w G W tor x using the subset sampling algorithm of Mem. Compute 
7T = fi{x) using the public evaluation algorithm for P on inputs s,x and w. 
Compute K = H{'k) and y = SKE.Enc(l^, iC,m). The ciphertext is (x,x). 

Decryption. To decrypt a ciphertext (x,x), compute tt = fi(x) using the private 
evaluation algorithm for P on inputs i and x. Then decrypt y under K using 
SKE. Dec, and outputs the resulting decryption 2 ;. {z may be reject.) 



8.2 Security 

Theorem 2. In the above construction, suppose that Mem is hard, and the asso- 
ciated projective hash family Project = (F, I, X, L, II, S, a) is strongly universal 2 
for each instance A[X,L,W,R] of Mem. Moreover, suppose that the one-time 
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symmetric-key encryption scheme SKE is secure in the sense of IND-CCA and it 
is e-rejection secure for negligible e. Then the proposed hybrid encryption scheme 
is secure in the sense of IND-CCA. 

A proof is a generalization of that of Theorem 1. Roughly speaking, in the 
proof, if the challenge ciphertext is based upon application of the projective 
universal hash function /j to an element x* £ L, then the attack works as in the 
real case. 

If X* ^ L, then the following happens: At the beginning of the CCA attack, 
7T* = fi{x*) (which is used as the symmetric key by K* = H{Tr*j) is totally 
uniform and secret from the point of view of the adversary. This is due to the 
strongly universal 2 property of the projective hash family Project. This informa- 
tion theoretic property of the symmetric key K* remains as the attack progresses 
due to the fact that invalid queries are not decrypted due to the e-rejection prop- 
erty of the SKE, where a ciphertext C = (x,x) is invalid if x ^ L. 



8.3 Examples 

From [4,5]. Let G be an Abelian group of order Q, where Q is a large prime. 
Let X = G^,W = Zq,L = {(go,gi) \ r G Zq}, where go,gi are two distinct 
generators of G. Then it is clear that the related membership problem Mem is 
hard if and only if the DDK assumption holds. 

Let r : G^ ^ Zq be an injective function for some n. Let II = S = G and 
I = Define 



a(fo,*l, • • • jo, jl, • • • 5 jn) — (so,Si, • • • ,S„), 



where Su = for 0 < u < n. For (xo,xi) G X, let r(xo,xi) = (oq, ■ • ■ ,an) 

and define 



/( 






)(xo,xi) = Xq^ 



io-hO-lil-' + O-nin ^i0+aijl---+anin 






(1) Project = (F, 7, X, L, II, S, a) is a projective hash family because if (xo,xi) = 
(go,gi), then 



— (sqS]^^ •• -s„”) . (10) 

(2) Consider the probability space defined by choosing (fo,*i, • • • ,*n, jo, ji, • • • , 
jn) G at random. For the example of [4, 5] we now have: 

- For any (xo,xi) G X \ L, is uniformly distributed 

over G conditioned on fixed values of (so, si , • • • , s„). 

— For any (xo,xi), (xq,x*) G X\L with (xo,xi) ^ {xq,x\), we easily see that: 
f{io,—,in,jo,—,jn)ixo,xi) is uniformly distributed over G conditioned on fixed 
values of (so,si, • • • , s„) and tt* = 
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Hence Project is strongly universal 2 . 

Now from Sec.8.1, a concrete hybrid encryption scheme is obtained such that 
the ciphertext is (< 7 o,( 7 r,SKE.Enc(l^,if, m)), where K = H{'k) and tt is given by 
eq.(lO). From Theorem 2, it is secure in the sense of IND-CCA if SKE satisfies 
the condition of the theorem. (This scheme is a TCR-free variant of Sec.4.3.) 

Similarly, we can obtain efficient hybrid encryption schemes which are secure 
in the sense of IND-CCA under Quadratic Residuosity assumption and Paillier’s 
Decision Composite Residuosity assumption, respectively. 
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Abstract. We present a fully secure Identity Based Encryption scheme 
whose proof of security does not rely on the random oracle heuristic. 
Security is based on the Decision Bilinear Diffie-Hellman assumption. 
This solves an open problem posed by Boneh and Franklin in 2001. 



1 Introduction 

Identity Based Encryption (IBE) provides a public key encryption mechanism 
where a public key is an arbitrary string such as an email address or a telephone 
number. The corresponding private key can only be generated by a Private Key 
Generator (PKG) who has knowledge of a master secret. In an IBE system, users 
authenticate themselves to the PKG and obtain private keys corresponding to 
their identities. Although Identity based encryption was proposed two decades 
ago [Sha84], and a few early precursors suggested over the years [Tan87,MY96], 
it is only recently that the first working implementations were proposed. Boneh 
and Franklin [BF01,BF03] defined a security model for Identity Based Encryp- 
tion and gave a construction based on the bilinear Diffie-Hellman problem. 
Gocks [GocOl] describes another construction using quadratic residues modulo 
a composite. The security of these systems requires cryptographic hash func- 
tions that are modeled as random oracles, i.e., these systems are proven secure 
in the random oracle model [BR93]. The same holds for several other identity 
based systems featuring signatures [GG03], key exchange [SOKOO], hierarchical 
identities [GS02], and signcryption [Boy03]. 

It is natural to ask whether secure IBE systems can exist in the standard 
model, i.e., without resorting to the random oracle heuristic. This question is 
especially relevant in light of several uninstantiable random oracle cryptosys- 
tems [GGH98,BBP04], which are secure in the random oracle model, but are 
trivially insecure under any instantiation of the oracle. Towards this goal, sev- 
eral recent results [GHK03,BB04,HK04] construct IBE systems secure without 
random oracles in weaker versions of the Boneh-Franklin model. However, until 
now, building a fully secure IBE remained open. 

* Supported by NSF and the Packard Foundation. 

M. Franklin (Ed.): CRYPTO 2004, LNCS 3152, pp. 443-459, 2004. 

(c) International Association for Cryptologic Research 2004 
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In this paper we construct an IBE system that is secure in the Boneh-Franklin 
model without using random oracles. Security is based on the decisional version 
of the bilinear Diffie-Hellman assumption. Our system demonstrates that fully 
secure IBE systems can exist without random oracles. The main shortcoming of 
the proposed system is that it is inefficient; consequently, we mostly view our 
construction as an existence proof. 

2 Preliminaries 

Before presenting our results we briefly review a definition of security for an IBE 
system. We also review the definition for groups with a bilinear map. First, we 
introduce some notation. 



2.1 Notation 

For a finite set S we use a: S' to define a random variable x that picks 

an element of S uniformly at random. For a randomized algorithm A we use 
X ^ A{y) to define a random variable x that is the output of algorithm A on 
input y. We let Pr[6(a;) : x ^ A{y)] denote the probability that the predicate 
b{x) is true where x is the random variable defined by a; <— A{y). For a vector 
z G if” we use z\i to denote the f’th component of z. 

2.2 Secure IBE Systems 

Recall that an Identity Based Encryption system (IBE) consists of four algo- 
rithms [Sha84,BF01]: Setup, KeyGen, Encrypt, Decrypt. The Setup algorithm 
generates system parameters, denoted by params, and a master key master-key. 
The KeyGen algorithm uses the master key to generate the private key corre- 
sponding to a given identity. The encryption algorithm encrypts messages for 
a given identity (using the system parameters) and the decryption algorithm 
decrypts ciphertexts using the private key. 

Boneh and Franklin [BFOl] define chosen ciphertext security for IBE systems 
under a chosen identity attack. In their model the adversary is allowed to adap- 
tively chose the public key it wishes to attack (the public key on which it will 
be challenged). More precisely, security for an IBE system is defined using the 
following two probabilistic experiments CCA-Exp_ 4 ( 0 ) and CCA-Exp_ 4 (l). 
Experiment CCA-Exp_ 4 ( 6 ): for an algorithm A and a bit 6 G {0, 1} define the 
following game between a challenger and A'. 

Setup: A challenger runs the Setup algorithm. It gives A the resulting system 
parameters params. It keeps the corresponding master-key to itself. 

Phase 1: Algorithm A issues queries qi, ... ,qm where each query qi is one of: 
— Private key query for an identity ID^. The challenger responds by running 
algorithm KeyGen to generate the private key di corresponding to the 
public key ID^. It sends di to A. 
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— Decryption query for a ciphertext Ci and an identity ID^. The challenger 
responds by running algorithm KeyGen to generate the private key di 
corresponding to ID^. It then runs algorithm Decrypt to decrypt the 
ciphertext Ci using the private key di. It gives A the resulting plaintext. 
These queries may be asked adaptively, that is, each query qi may depend 
on the replies to gi, . . . , qi-\. 

Challenge: Once A decides that Phase 1 is over it outputs an identity ID* 
and two equal length plaintexts Mg, Mi G M that it wishes to be chal- 
lenged on, under the constraint that it had not previously asked for the 
private key of ID*. The challenger sets the challenge ciphertext to C* = 
Encrypt{params, ID*, M^). It sends C* as the challenge to A. 

Phase 2: Algorithm A issues more queries Pm+i, ■ ■ ■ iQn where qi is one of: 

Private key query for any identity ID^ where ID^ yf ID*. The challenger 
responds as in Phase 1. 

- Decryption query Ci for identity ID* where Ci yf C* . The challenger 
responds as in Phase 1. 

These queries may be asked adaptively as in Phase 1. 

Guess: Finally, A outputs a guess b' G {0, 1}. 

We call b' the output of the game and define the random variable CCA-Exp_^( 6 ) 
as CCA-Exp_ 4 ( 6 ) = b'. The probability is over the random bits used by the 
challenger and the adversary. We define adversary A’s advantage in attacking 
the IBE system E as: 



Adv£_^ = I Pr [CCA-Exp_^(0) = 1] — Pr [CCA-Exp_^(l) = 1] |. 

Definition 1. We say that an IBE system E is {t, qio, qc , £iBE)-o.daptive chosen 
ciphertext secure under a chosen identity attack if for any t-time IND-ID-CCA 
adversary A that makes at most qio chosen private key queries and at most qc 
chosen decryption queries we have that Advs,A < ^ibe- As shorthand, we say that 
E is (t, g,D, gc,e/BE)-IND-ID-CCA secure. 

Semantic Security. As usual, we define chosen plaintext security for an IBE 
system as in the game above, except that the adversary is not allowed to issue any 
decryption queries. The adversary may still issue adaptive private key queries. 
The resulting system is semantically secure under an adaptive chosen identity 
attack. 

Definition 2. We say that an IBE system E is {t,qiD,eiBE) chosen plaintext se- 
cure under a chosen identity attack if E is (f, qio, 0, eiBE)-chosen ciphertext secure 
under a chosen identity attack. As shorthand, we say that E is (t, ( 7 , 0 , e/BE)-IND- 
ID-CPA secure. 

For b G {0, 1} we use CPA-Exp_4(6) to denote the experiment CCA-Exp_4(6) where 
A cannot make any decryption queries. 
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2.3 Bilinear Groups 

We briefly review the necessary facts about bilinear maps and bilinear map 
groups. 

1 . G and Gi are two (multiplicative) cyclic groups of prime order p; 

2. g is a generator of G. 

3. e is a bilinear map e : G x G ^ Gi. 

Let G and Gi be two groups as above. A bilinear map is a map e : G x G ^ Gi 
with the following properties: 

1. Bilinear: for all u,v G G and a,b gZ, e(rt“, v^) = e{u, 

2. Non-degenerate: e{g,g) yf 1. 

We say that G is a bilinear group if the group action in G can be computed 
efficiently and there exists a group Gi and an efficiently computable bilinear 
map e : G X G ^ Gi as above. Note that e(-,-) is symmetric since e{g°‘,g^) = 
e{g,gr^ = e{g\g-). 

3 Complexity Assumptions 

Let G be a bilinear group of prime order p and g he a generator of G. We 
review the standard Bilinear Diffie-Hellman (BDH) assumption as well as the 
definition for binary biased Pseudo Random Functions (PRF’s) and collision 
resistant functions. 

3.1 Bilinear DifRe-Hellman Assumption 

The BDH problem [Jou00,BF01] in G is as follows: given a tuple g, g“, g^, G G 
as input, output e(g,g)“*"^ G Gi. An algorithm A has advantage Cbdh in solving 
BDH in G if 

Pr = e{g,g)°-’”'] > Cbdh 

where the probability is over the random choice of a, b, c in Zp and the random 
bits of A. 

Similarly, we say that an algorithm B that outputs b G {0, 1} has advantage 
Cbdh in solving the decision BDH problem in G if 

|Pr [B{g, g\ e{g, 5 )“'^) = O] - Pr [B{g, g\ g\ T) = O] | > Ebdh (1) 

where the probability is over the random choice of a, b, c in Zp, the random choice 
of T G Gi and the random bits of B. We use the following notation: 

— We denote the distribution over 5-tuples in the left term of (1) by T^bdh- 

— We denote the distribution over 5-tuples in the right term of (1) by 7 ?.bdh- 

Definition 3. We say that the {t,€BDH)- (Decision) BDH assumption holds in G 
if no t-time algorithm has advantage at least Cbdh in solving the (decision) BDH 
problem in G. 

Occasionally we drop the t and Cbdh and refer to the BDH and Decision BDH 
assumptions in G. 
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3.2 Biased Binary Pseudo-random Functions 

Next we review the definition of a Pseudo Random Function (PRF) with bias S. 
Let F be a function F : {0, 1}™ ^ {0, 1}. We say that F has bias S G [0, 1] if the 
expectation of F over all inputs in {0, 1}™ is 6, i.e., (l/2“) i}“ 

We let f2s denote the set of all functions F : {0, 1}“ ^ {0, 1} with bias S. 
We also let Ki denote a set of keys. For an algorithm A we define the following 
value: 

Exp^^ = Pr = 1 : F ^ f2s, ki ^ Ki 

Here denotes the output of algorithm A when it is given oracle access 

to the function F and input ki . The input fci is a dummy input needed only so 
that A takes the same input as the A below. 

The biased Pseudo Random Functions that we will be using are parameter- 
ized by two random values, say ko G Kq and k\ G K\. The parameter fco is kept 
secret while k\ is public. To capture this concept we consider a set of functions 
^ = {FkoM ■ {0.1}“ ^ {0, For such a family of functions F 

and an algorithm A we define the following value: 

ExpJ = Pr (^ki) = 1 : ko ^ Kq, ki ^ K\ 

Note that A is given k\ but is not given ko- 

Definition 4. Let T = {Fu^m ■ |0, 1}“ ^ {0, ^}}kodKoM(iKi of func- 

tions. We say that F is a {SAFprf, Q)-biased-PRF if for any t-time oracle algo- 
rithm A making at most q queries to its oracle we have: 

Exp^^ - Exp^ "G CpRF 

We say that the parameter ko is kept secret while k\ is public. 

3.3 Collision Resistance 

We briefly review the definition of collision resistant hash functions. 

Definition 5. Let S be an alphabet of size s and let n be some positive inte- 
ger. We say that a family of functions H = {Hk : (0, 1}*" ^ is {t,eH)- 

collision resistant if for any t-time algorithm A we have 

Pr Hk{x) = Hk{y) and x^y : k ^ K; {x,y) ^ A{k) < 

It is well known that collision resistant hash functions can be constructed 
from a finite cyclic group for which the discrete log problem is intractable. Since 
the Decision BDH assumption in G implies that discrete-log in G is intractable 
it follows that the existence of collision resistant hash functions is implied by the 
Decision BDH assumption. Consequently, rather than saying that our construc- 
tion depends on both Decision BDH and collision-resistance we can say that our 
construction depends on Decision BDH alone for security. Nevertheless, in our 
security theorems we state collision resistance as an explicit assumption so that 
one can use any cryptographic hash function such as SHA-1, if so desired. 
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4 Secure IBE Construction 

Before presenting our secure IBE system we first introduce a specific construction 
for a biased binary PRF from any collision resistant hash function. Later, in 
Section 5, we prove that it is indeed a PRF with overwhelming probability. 

4.1 A Special Biased Binary PRF 

Let S be an alphabet of size s, and let = A U {-L}. For 0 < m < n, denote 
by the set of vectors in A” that have exactly m components in S. For 

any vector K G with n > m > 0, and any function H : {0, 1}™ ^ LI" 

with w > 0, we define the bias map Fk,h '■ {0,ir ^{0,l}as 

[O if3ie{l,...,n}:H{x)l = Kl 

Fk,h\x) = < 

ifVi G 

Observe that when FI is & random function, the bias map Fk,h has an expecta- 
tion of (1 — 1/s)'" over the inputs x G {0, 1}™. 

Definition 6. Let n,m,w he positive integers with m < n. Let S be an al- 
phabet of size s and set i5 = (1 — 1/s)'". We say that a hash function fam- 
ily {Flk : {0,1}"' ^ L'"}fegK: is {t,epRp,q,m)-admissible if the function family 
{FK.Hk} Kes<.''<"‘),ke!C is a {S,t,epRp,q) -biased PRF. Here k is public and K is 
secret. 

In Section 5 we show how an admissible hash function family can be con- 
structed given a collision resistant hash function family. In the rest of this section, 
we show how to use admissible hash functions to construct a secure IBE in the 
standard model. 

4.2 Secure IBE Using Admissible Hash Functions 

We are now ready to present our secure IBE system. It is based on a recent 
HIBE construction without random oracles by Boneh and Boyen [BB04] (secure 
in a selective identity attack model), itself inspired from a random oracle HIBE 
construction due to Gentry and Silverberg [GS02]. 

The system makes use of a collision resistant hash function and security is 
based on the Decision BDH assumption. Let G be a bilinear group of prime 
order p and g he a generator of G. Let e : G x G ^ Gi be the bilinear map. We 
assume that the messages to be encrypted are elements of Gi. 

Throughout the section we let S = {!,..., s| be an alphabet of size s, 
although later we restrict our attention to the binary case s = 2. We also let 
{Hk : {0,1}"' ^ S^}keic be a family of hash functions. For now, we assume 
that public keys (ID) are elements in {0, 1}"™. We later extend the construction 
to public keys over {0, 1}* by first hashing ID using a collision resistant hash 
H : {0, 1}* ^ {0, 1}™. The IBE system works as follows: 
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Setup: To generate system parameters the algorithm picks a random a G Zp 
and sets gi = g°‘. Next, it picks a random 32 G G and a random n x s 
matrix U = (uij) where each Uij is random in G. Finally, the algorithm 
picks a random fc G /C as a hash function key. The system parameters are 
params = {g, 51 , 32 , U, k). the master key is master-key = gt^. 

KeyGen{params, ID, master-key): To generate the private key for an identity 
ID G {0,1}™ the algorithm lets a = i?fe(ID) = oi . . . a„ G if" and picks 
random ri, . . . , r„ G Zp. The private key d,o is: 



diD 





G G"+i 



Encrypt{params, ID, M): To encrypt a message M G Gi under the public 
key ID G {0, 1}™, first set d = Hk{\D) = m . . . a„ G if", then pick a random 
t G Zp and output 



C = (e{gi,g2)* ■ M, g\ 

Note that e(gi,g 2 ) can be precomputed so that encryption does not require 
any pairing computations. 

Decrypt{params, d,o, C): To decrypt a ciphertext C = {A, B,Ci,. . . , Cn) using 
the private key d,o = {do, di, . . . , dn), output: 

Ul-ie{Cj,dj) 

A ■ \ ^ = M 

e(B,do) 

Let d = iLfe(ID) = oi . . . a„ G if". Then, indeed, for a valid ciphertext we 
have: 

lXj=ie{Cj,dj) _ U]=ie{uj,a^,g)*^^ _ 1 

e{B,do) e(5,52)*“nj=ie(ff,Mi,aJ*"'= 6 ( 31 , 52 )* 

This completes the description of the system. 



4.3 Security 

We now turn to proving security of the IBE above. The system makes use of 
an admissible hash function family and security is based on the Decision BDH 
assumption. We prove security in the standard model, i.e., without random or- 
acles. 

Theorem 1. Let |if| = s. Suppose the {t,€BDH) -Decision BDH assumption holds 
in G. Furthermore, suppose {Hk : {0,1}™ ^ if"}feg;c is a {t,epRF,q l,m)- 
admissible family of hash functions. Set <5 = (1 — l/s)*" and A = <5(1 — <5)^. 
Assume that A > Cppp. Then the IBE system above is {t,q,e,BE)-chosen plaintext 
(IND-ID-CPA) secure for any e,BE > 2 cbdhI{A — Cppp). 
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We note that taking m = 0(slog q) leads to A = 0 {l/q). Then, ignoring epRp, 
we have that Eibe = ©(^Cboh)- Hence, in groups where (t, £BDH)-Decision BDH 
holds we obtain a (t, g, ©(geBon)) secure IBE system without random oracles. 

To prove the theorem we need to show that for any t-time algorithm A that 
makes at most q private key queries we have 

I Pr [CPA-Exp_4(0) = 1] - Pr [CPA-Exp_ 4 (l) = 1 ] | < Cibe 
T o do so we first define two additional experiments. 



Experiment 1 : BDH-Exp_4(6, (3,31,32, ff3,T)). Let A be an algorithm, 6 be a bit 
in {0, 1}, and (3, 31, 32, 33, T) a 5-tuple where 3, 31, 32, 33 G G and T G Gi. Define 
the following game between a simulator and A\ 

Setup: To start, the simulator generates system parameters by first picking a 
random vector V = v\ . . .Vn & It then generates an n x s matrix 

U = (uij) as follows. For each i = 1 , . . . ,n and j = 1 , . . . , s it picks a random 
aij G Zp and sets 

. = / S'2 • 5“'’" if D = J, and 
*0 \ 3“*’^ otherwise 

Next, the simulator picks a random A: G /C as a hash function key. It gives A 
the system parameters params = (3, 31, 32, G, fc). Note that the correspond- 
ing (unknown) master key is master-key = 32 where a = log^ 31 . 

Phase 1. A issues up to q private key queries. Consider a query for the private 
key ID G {0,1}™. Let a = Hk{\D) = oi . . . a„ G L7". If oi yf Vi for all 
i = 1 , ... ,71 then the simulator terminates the experiment and outputs abort. 
Otherwise, there exists an i such that ai = Vi G E. The simulator derives 
the private key for ID by first picking random elements r\, ... ,rn G Zp and 
then setting 



do = 9i n “haj > di= ..., di= 
i=i 



dn=g^" (2) 



We note that (c?o, d\,. . . , d„) G G"+^ is a valid random private key for ID. 
To see this, let fi = ri — a. Then we have that 



— OLi 

9 i 






CX Vi I I 

92-Ui,aE 11 






i=i i=i 

It follows that the key {do, di,. . . , d„) defined in (2) satisfies: 



do = 92 ■ 



n ' 



j,<^j 



), d^=g^ 



d^ = 9 ^ 






where ri, . . . , fj, . . . , r„ are uniform in Zp. This matches the definition for 
a private key for ID and hence {do, di, . . . , d„) is a valid private key for ID. 
The simulator gives this key to A. 
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Challenge. A outputs an identity ID* and two messages Mq,Mi G Gi. Let 
a = Hk{\D*) = oi...a„ G i7”. If there exists an i such Oi = Vi then 
the simulator terminates the experiment and outputs abort. Otherwise, the 
simulator responds with the challenge ciphertext 

C={M,-T, 33, 53“”'“") 

Suppose 33 = 3'^. Then, we note that since Ui^ai = 3“*’“* for all i, we have 
that: 

C={M,-T, 3^ 

Hence, if T = e{g, 3)“^'^ = e(3i ,32)'^ then the challenge C is a valid encryption 
of Mf, under ID*. 

Phase 2. A issues more private key queries for identities ID ^ ID*. The simu- 
lator responds as before. 

Guess. Finally, A outputs a guess h' G {0, 1}. The simulator outputs h' as the 
result of the experiment. 

We define BDH-Exp_4(6, (3, 31, 32, 33, T)) to be the random variable denoting the 
simulator’s output in the above experiment. It takes one of three values: 0, 1, or 
abort. 

Experiment 2: PRF-Exp_4(6, F’, A:). Let A be an algorithm, 6 be a bit in {0, 1}, 
F be a function F : {0,1}™ ^ {0,1}, and k G 1C. Define the following game 
between a simulator and A: 

Setup: To generate system parameters the simulator picks a random a G Zp 
and sets 31 =3“. Next, it picks random 32 G G and a random n x s matrix 
U = (uij) where each Uij G G. It gives A the system parameters params = 
(3, 31, 32, U, k) and keeps to itself the master key master-key = g^- 
Phase 1: A issues up to q adaptive private key queries. Consider a query for 
the private key ID G {0, 1}™. If F(ID) = 1 the simulator terminates the 
experiment and outputs abort. Otherwise, the simulator uses master-key to 
generate the private key for ID and gives the result to A. 

Challenge. A outputs an identity ID* and two messages Mg, Mi G Gi. If 
F(ID) = 0 the simulator terminates the experiment and outputs abort. Oth- 
erwise, the simulator creates the encryption of Mf, and gives the resulting 
challenge ciphertext to A. 

Phase 2. A issues more private key queries for identities ID yf ID*. The simu- 
lator responds as before (aborting as necessary). 

Guess. Finally, A outputs a guess b' G {0, 1}. The simulator outputs b' as the 
result of the experiment. 

We define PRF-Exp_4(5, F) to be the random variable denoting the simulator’s 
output in the above experiment. It takes one of three values: 0, 1, or abort. 

Next, we state four facts about these experiments, which we prove in the full 
version of the paper. The proof of Theorem 1 will follow immediately from these 
facts. We define the following notation: 
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R. 

1. Define the random variable Z = {g, gi, 927 93 ,T) ^ T^bdh- 

2. For 6 = 0, 1 define the random variable = BDH-Exp_^(6, Z). 

3. For 6 = 0, 1 define the value tb = Pr[T6 = 1 | 7^ abort]. 

4. We let {FK,Hk} denote the distribution sampled by the following algorithm: 

pick a random k & 1C and a random K G and output the (function, 

key) pair 

5. We set (5 = (1 — 1/s)™ and A = 5(1 — Sy. 

R 

Claim 1. Consider {F,k) ^ {Fic, Then for 6 = 0, 1 the random variable 
Tb = BDH-Exp_4(6, Z) is identical to the random variable PRF-Exp_4(5, F, k). 

Claim 2. For 6 = 0, 1 we have that tb is equal to Pr[CPA-Exp_^(6) = 1]. 

Claim 3. Let (F, k) {FK,Hk}- Then for 6 = 0, 1: 

Pr[PRF-Exp_4(5, F, k) = abort] < 1 — Z\ + Cprf 

Claim 4. We have that Jto — Fj < 2eBDH/(^ — Cprf)- 

The proofs of these claims are given in the full version of the paper. The 
main theorem follows easily. 

Proof (Proof of Theorem 1 ). The theorem follows directly from Claims 2 and 4. 
The two claims together show that for any t-time algorithm A that makes at 
most q private key queries, we have 

I Pr[CPA-Exp_4(0) = 1] - Pr[CPA-Exp_4(l) = 1] | = jto - ti] < 2eBOH/(L\ - epRp) 
as required. □ 

5 Constructing Admissible Hash Functions 

It remains to show how an admissible hash function family can be constructed 
given a collision resistant hash function family. We do this in two steps: we first 
present some idealized sufficient conditions for a hash function family to be ad- 
missible, then show how these conditions can be achieved in the case of a binary 
alphabet given a family of collision resistant hash functions. As previously men- 
tioned, the Decision BDH assumption can be used to realize collision resistance, 
although we are free to use more practical hash functions. 

For simplicity, we define the following shorthand notation. We let be 

the universe of the possible values of the secret index K. For a hash function FI, 
we respectively define the Fl-null-set and the Fl-kernel of any x € {0, 1}*" as: 

Zh(x) = {K€ : Fk,h(^) = 0}, Vn(x) = {K € : Fk,h(^) = U 

Clearly, for any x the sets Zh(x) and Yh{x) form a partition of such that 

\Zh{x)\ = ()^) (s’” — (s — 1)™) and ]yf/(a;)l = (^)(s— I)*”. For binary alphabets, 
we have 

(s = 2)^ \Zh{x)\=('^){2^-1), lr^(x)l=f^) 

\mj 

Before delving into the construction, we need to precise the following notions. 




Secure Identity Based Encryption Without Random Oracles 453 



Adversarial Uncertainty. We formalize the information made available to the 
adversary using the notion of knowledge state. At any time during the interaction 
of an algorithm with a bias map oracle Fk.h where H is public and K is 
secret, the algorithm’s available knowledge about the oracle is captured by a 
distribution of the secret K. Initially the distribution is uniform over 
since K is chosen uniformly in this set. Now, suppose that prior to the next 
interaction with the oracle the distribution is uniform over some set S', then the 
distribution after the next oracle query Fn.Hixi) is uniform over a subset S' C S 
such that 



S n Zfi{x) if FK,H{xi) = 0 
S n Yh{x) if Fk,h(x^) = 1 



It follows that after learning the responses {FK,H{xi) : i = 1, . . . , j} to any set 
of queries {xi : i = l,...,j}, the algorithm’s knowledge state regarding K is 
completely captured by the uniform distribution over the set Sj given by 



s, = n f| Zh{x,) n f| Yh{x,) 



Here, sj°^ and sj^^ are respectively defined as the sets of values of K € 
that are compatible with the “negative” and the “positive” responses from the 
set of oracle responses {FK.nixi) ■ i = l,...,j}. Notice that reordering the 
queries has no effect on the knowledge state. 



Hamming Separation Property. For two vectors x,y G A", we write d{x,y) for 
the Hamming distance between x and y. We say that a hash function family {Hk : 
{0, 1}*" ^ satisfies the v-Hamming separation property if Vfc G /C and 

Va;, y G {0, 1}*" such that H^ix) yf H^iy), it also holds that d{Hk{x), Hk{y)) > v. 
In other words, any distinct Hk{x) and Hk{y) must take differing values in at 
least V coordinates (and thus have at most n — v coordinates in common). 

In Section 5.2, we show how to achieve the Hamming separation property 
from collision resistance using coding theory. 



5.1 Sufficient Conditions for Admissibility 

The following theorem gives a set of sufficient conditions for a hash family to be 
admissible as defined in Definition 6. We focus on binary alphabets (s = 2). 

Theorem 2. Let n, m, v, w be positive integers such that m < n and v < n. Let 
S be an alphabet of size s = 2, and let 6 = (1 — 1/s)™ = 2~™. Assume that 
H = {Hk : {0,1}™ ^ E'''}kejc is some (tjCn)- collision resistant hash function 
family that satisfies the v-Hamming separation property. Pose 9 = {1 — vjn)”' . 
If 9 < kS for some arbitrary k G (1,oo) then the family H is {t,epnp,q,m)- 
admissible provided that Cppp > ChY ! si and q < j/kS for some arbitrary 

1 e (0, i). 
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Proof. It suffices to show that, in the view of any algorithm A interacting with a 
bias map oracle for random k G 1C and K G where K is secret, the 

first q outputs of the oracle are distributed identically to the first q outcomes of 
a binomial random process of expectation S, with probability at least 1 — Cphf • 

We henceforth omit the subscripts K and since there is no ambiguity, and 
write F{x) for F^^Hki^). We use the abbreviations Yi = Yn^ixi), Zi = Zn^ixi), 
hi = Hk{xi), and F* = F{xi). 

We compute the distribution of the first q oracle answers under the stated 
assumptions, treating the algorithm A as an adversary that adaptively selects 
the q points x\, . . . ,Xq at which F is queried. For now, we assume that yi j : 
Xi yf Xj ^ hi ^ hj (and by the w-Hamming separation property, d{hi, hj) > v). 
By the (t, eH)-collision resistance assumption on H, this is true with probability 
at least 1 — Ch- We correct for this assumption at the end. 



Suppose that before step j G {1, . . . , q} the adversary has learned the j — 1 
values respectively taken by F{x) at arbitrary query points x = xi, . . . ,Xj-i. 
Our goal is to find lower and upper bounds on the conditional probability that 
F{xj) = 1 given the history of past queries and answers, in the adversary’s view, 
uniformly for all choices of the next query point Xj ^ {x\, . . . ,Xj-\). 

Let Xi = {xi, . . . ,Xi} = U where xj^^ = {x G Xi : F(x) = 0} 
and xj^^ = {x G Xi : F(x) = 1}, and write Pj = Pr[F(xj) = 1 | 

for the probability we seek to bound. Observe that the two sets and Xj]}^ 
together capture all relevant information about the query history just before the 
j-th query, since the order of the queries is irrelevant. We have 



P^=Pr[F{xq) = l\X^%X^}],] 



Vil 

\S,-i\ 






n (n.6A-jL> r(*)) n (n.„™ zm) 




Y n \ 


-1 








^n.i-1 \ 





where we have posed Pnj--i = ^up-i = ■ 

We can use this general expression and the u-Hamming separation property 
to bound Pj for query histories that contain either zero or one positive answer. 
We later show that the other cases are together very unlikely. Namely, we seek: 

1. a uniform bounding interval on Pj for all query histories with = 0 

(i.e., containing only negative answers); 

2. a uniform upper bound on Pj for all query histories such that = 1 

(i.e., containing one positive answer). 

We obtain non-trivial uniform bounds of three different kinds, given by 

s.t. |xji\| = 0 : (1-7)<5 < Pj < {l + 2j)S 

s.t. = l : Pj < 2k5 

Detailed calculations for these bounds are given in the full version of the paper. 
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Subject to the above inequalities, we set out to bound the probability that 
the biased PRF oracle F deviates from a sequence of q outcomes from a genuine 
memoryless binomial process of expectation 6 over a sequence of length q. 

Consider R, a binomial process of expectation S. We construct a modified 
process R' whose z-th outcome is defined as R[ = Ri® Mi. Here, M is a control 
process whose purpose is to randomly decide whether i?' should assume the 
value of Ri or its opposite, with a probability that depends on the previous 
outcomes . . . , and the current drawing Ri. By properly choosing M, 
we can make R' behave exactly as F, i.e., have the g-prefixes of R' achieve the 
same joint distribution as the g-prefix of F. In particular, this means that the 
event that the processes R and F behave similarly over a sequence of length q is 
at least as likely as the event that Mi = 0 for all z = 1, . . . , g, since in this case 
R and R' have the same first g outcomes. It remains to bound such probability. 
Here is the gist of the argument. 

The goal is to devise an R' that perfectly simulates any g-prefix of F = 
Fk.h for (unknown) random K, and bound the influence of M needed to do so. 
Suppose that for some query history ? the conditional expectation 

Pj = Pr[Fj = 1 I of Fj as viewed by the adversary exceeds the 

expectation Pr[i?j = 1] = ,5 of the binomial process Rj. One can make the 
simulated process i?' assume the expected law of Fj conditionally on this specific 
history by letting the control process take Mj ^ 1 with conditional probability 
{Pj — S)/ {I — S) when Ri = 0, and with probability 0 when Ri = 1. More 
generally, we find that for the process R' to perfectly simulate F, it suffices that 
for j = 1, . . . , g, the conditional law of Mj given R[, . . . , Rj_^,Rj satisfies 

Pr[M, = 1, = 0 I = max{ 0, Pj - S } 

Pr[Mj = 1, = 1 I = max{ 0, <5 - P, } 

Let us write Ej for the event [3z < j. Mi yf 0] . We outline how to use the above 
results to upper bound the unconditional probability Pv[Ej] for j < q. First, from 
the law of M we get Pr[Mj = 1 | < \Pj — <5| < 1, which we can 

bound further using our previous bounds on Pj in the cases where = 0, 1. 

Next, we need to bound the probabilities Pr[xj°\, of the conditioning 

events. The difficultly here is that the random variables , ^j-i derive from 
the complicated process R' . Fortunately, conditionally on the event the 

process R' identifies with the binomial process R so that these probabilities have 
nice expressions in function of j and Note that these probabilities vanish 

quickly as increases, which is why we bounded Pj for = 0, 1 only. 

Thus, we have just reduced the upper bound computation of Vr[Ej] to that 
of Pr[Fj_i]. Carrying this idea through, after some calculations we obtain 

^ 13 

Pr[F,] = Pr[3z < j, Mi yf 0] = ^ Pr[M,- = 1, ^Fy_i] < 

i=i 

The formal derivation of this result may be found in the full version of the paper. 
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To conclude, we correct for the probability Ch of finding a hash collision in the 
allotted time t, which in the worst scenario could yield an infallible discriminator 
between F and R. It follows that the probability that the F and R oracles can 
be distinguished admits the upper bound Ch + < CpRp, as required. □ 



5.2 Admissibility from Collision Resistance 

We now show how to construct an admissible hash function family Ti. = {Hk : 
{0, 1}*" ^ in the sense of Theorem 2, given an “ordinary” family of 

{t, eH)-collision resistant hash functions H = {Hk ■ {0, 1}“ ^ {0, We 

give an explicit construction for the specific case of a binary alphabet (s = 2 ). 

Theorem 3. Let H = [Hk : {0,1}“ ^ {0,l}^}fe6K: be an efficiently com- 
putable {tjCn)- collision resistant hash function family. Then for any r G (0, 5 ) 
there exists an efficiently computable function family TL = {Hk : {0,1}“ ^ 
{0, l}"}fcgK: that satisfies both the {t, Ch)- collision resistance property and the 
bitwise v-Hamming separation property, where P < n < 2/3^/(l — 2r)^ and 
v/n > r. 

Proof. Let t be the smallest positive integer such that 2* > \B/t\l(l — 2r) + 1, 
and define £= \P/t\. 

Let : {0, 1}* ^ F 2 * be any bijection. Define the injection p. : {0, 1}^ 
that, on input z G { 0 , 1 }^, partitions z in £ fragments of t bits each (padding 
the last fragment as necessary), applies the map fj! to each fragment, and con- 
catenates all the outputs. 

Let p : F^t ^ ^ Reed-Solomon error correcting code with parameters 

[ 2 ‘ — 1 ,^, 2 *— f], i.e., a linear code that takes input words of size £ over the alphabet 
F 2 t and produces codewords of length 2* — 1 with minimum pairwise Hamming 
distance 2 * — £. 

Let rf : F 2 * ^ {0, 1}^ be the injection that maps any field element i G 
{0, . . . , 2* — 1} to the 2*-bit vector given by the z-th row of a 2* x 2* Hadamard 
matrix. Recall that a binary m x m Hadamard matrix is such that any two 
distinct rows or columns agree on exactly m/2 coordinates; it is well known 
that a 2* X 2* Hadamard matrix exists and is easy to construct for all t > 1. 
Define the function rj : F^t”^ ^ {0, l} 2 *( 2 ‘-i) applies p' individually to each 
coordinate of its input word and concatenates the resulting Hadamard vectors. 

The desired hash family is then given hy H = {Hk : {0,1}“ ^ S'^jk^K 
where Hk = p o p o p o Hk. 

It remains to show that H has the desired properties. 

First, since popop is an injection, the (t, Cnj-collision resistance of Hk entails 
the same for Hk. 

Next, by the stated properties of the Reed-Solomon code, p produces code- 
words of size 2* — 1 with minimum pairwise Hamming distance 2* — f in F 2 *. Since 
p turns any two distinct elements of F 2 * into 2 *-bit vectors that differ in 2 *“^ 
positions, it follows that pop produces binary vectors of size n = 2 * ( 2 * — 1 ) with 
minimum pairwise Hamming distance v = 2*“^ (2* — £) in F 2 . The corresponding 
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ratio vjn is bounded as follows. Since t is chosen such that (2* — 1)(1 — 2r) > i, 
we have 2* — £ > 2r(2‘ — 1) + 1, hence (2* — £)f{2^ — 1) > 2r. It follows that 
vjn > r, as claimed. 

Last, we have that f3 <n = 2*(2‘ — 1) < 2|"/3/t]^/(l — 2r)^ < 2/3^/(l — 2r)^, 
as required. □ 



5.3 Putting It All Together Concrete Bounds 

It is useful to assign a more concrete meaning to the values taken by the parame- 
ters intervening in Theorems 2 and 3. We assume to be given Ch (the adversarial 
advantage against the collision resistant hash functions), /? (the collision resis- 
tant hash output length in bits), and q (the allowed number of PRF queries), 
under the “birthday paradox” constraint that q Our task is to find a 

suitable set of parameters so that (1) the security Cibe of the IBE system of Sec- 
tion 4.2 is within a polynomial factor of Cedh, and (2) the complexity of the four 
IBE operations takes polynomial time in the security parameters. For s = 2, we 
require that eiBE/cBOH < 0(poly(g)) and n < 0(poly(/3, log(g), log(l/eiBE))- 

We describe two settings of the parameters; one favoring security, the other 
favoring performance. 

Favoring security. We first show how to satisfy the requirements for the PRF 
construction with a binary alphabet (s = 2) when the intrinsic PRF error prob- 
ability (defined as = epRp — Ch in the notation of Theorem 2) is pegged to 
CppF = €h- We arbitrarily choose k ^ 2 and successively derive: 7 ^ ^/F^|2, 
w ^ [ 1082 ( 29 / 7 )). i5^2-™«7/2g, r ^ 1- V 2/2 « i- 3 ^, t ^ least s.t. 
2^ >\(3jty{l-2r) + l, £‘^\(3/t\, n ^ 2*(2* - 1), u ^ 2*-i(2^ - £), and 
6 ^ {1 — ^)™ < K 6. Evidently, the total PRF loss Cppp = eg -I- eppp = 2 £h is 
negligible and the bandwidth coefficient n = 0 {log 2 {q/ y/e^y)P‘^) is polynomial 
in log q and /?. The price to pay for such a low value of Cppp is a fairly large n. 

Favoring performance. We can attain better bounds by adjusting the PRF loss to 
best match the intrinsic loss incurred by the IBE construction itself, in function of 
q, as follows. Assuming that the loss Ch due to hash collisions is negligible, under 
the (t, eBDH)-Decision BDH assumption Theorem 1 gives a (t, q, eiBE)-secure IBE 
such that Cibe — 2eBDH/(<^(l ^)*^ ^prf) ~ 2 Cbdh/('\/^prf/ 4^ ^prf)- can 

minimize Cibe for a prescribed value of q by seeking Cppp ^ (l/8g)^. For k ^ 2 
this gives us a total IBE security loss Cibe ~ 64 Cbdh = ©(^^Cbdh) under the 
improved bandwidth requirement n < (9 -I- 41og2 9 )^/?^ = 0((log2 q)0^). 

We note that the optimal value of k varies and is tied to the coding construc- 
tion. We defer to the full paper the question of optimizing for all parameters. 

6 Extensions 



We very briefly outline a few simple extensions of the IBE system of Section 4.2. 
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Hierarchical IBE. Introduced by Horowitz and Lynn [HL02], HIBE was first 
constructed by Gentry and Silverberg [GS02] in the random oracle model. The 
IBE system of Section 4.2 generalizes naturally to give a semantically secure 
HIBE under an adaptive chosen identity attack (IND-ID-CPA) without random 
oracles. For a hierarchy of depth £, both the ciphertext and private key contain 
i blocks where each block contains n components. Thus, a private key at depth 
£ is an element of As our IBE, the HIBE uses collision resistant hash 

functions and is provably secure without random oracles whenever the Decision 
BDH assumption holds. The construction is similar to the construction of a 
(selective identity secure) HIBE without random oracles based on Decision BDH 
recently proposed by Boneh and Boyen [BB04]. The details are deferred to the 
full version of the paper. 

Chosen Ciphertext Security. A recent result of Ganetti et al. [GHK04] gives 
an efficient way to build a chosen ciphertext IBE (IND-ID-CCA) from a chosen 
plaintext 2-HIBE (IND-ID-CPA). Thus, by the previous paragraph, we obtain a 
full chosen identity, chosen ciphertext IBE (IND-ID-CCA) that is provably secure 
without random oracles. More generally, by starting from an {£ + 1)-HIBE, a 
fully secure AHIBE can be similarly constructed without random oracles. 

Arbitrary Identities. We can extend our IBE system to handle identities ID S 
{0, 1}* (as opposed to ID G {0, 1}“) by first hashing ID using a collision resistant 
hash function H : {0, 1}* ^ {0, 1}“ prior to key generation and encryption. A 
standard argument shows that if the scheme of Section 4.2 is IND-ID-CPA secure 
then so is the scheme with the additional hash. This holds for the HIBE and the 
chosen ciphertext secure system and as well. 

7 Conclusions 

We presented an Identity Based cryptosystem and proved its security without 
using the random oracle heuristic under the decisional Bilinear Diffie-Hellman 
assumption. Our results prove that secure IBE systems exist in the standard 
model. This resolves an open problem posed by Boneh and Franklin in 2001. 
However, the present system is not very practical and mostly serves as an exis- 
tence proof. It is still a wonderful problem to find a practical IBE system secure 
without random oracles based on Decision BDH or a comparable assumption. 
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Abstract. A timestamping scheme is non-interactive if a stamper can 
stamp a docnment withont communicating with any other player. The 
only commnnication done is at validation time. Non-Interactive times- 
tamping has many advantages, such as information theoretic privacy and 
enhanced robustness. Unfortunately, no such scheme exists against poly- 
nomial time adversaries that have unbounded storage at their disposal. 
In this paper we show non-interactive timestamping is possible in the 
bounded storage model. In this model it is assumed that all parties par- 
ticipating in the protocol have small storage, and that in the beginning of 
the protocol a very long random string (which is too long to be stored by 
the players) is transmitted. To the best of our knowledge, this is the first 
example of a cryptographic task that is possible in the bonnded storage 
model, but is impossible in the “standard cryptographic setting”, even 
assuming cryptographic assumptions. 

We give an explicit construction that is secure against all bounded stor- 
age adversaries, and a significantly more efficient construction secure 
against all bounded storage adversaries that run in polynomial time. 

Keywords: timestamping, bounded storage model, expander graphs, 
extractors 



1 Introduction 

The date on which a document was created is often a significant issue. Patents, 
contracts, wills and countless other legal documents critically depend on the 
date they were signed, drafted, etc. A timestamp for a document provides con- 
vincing proof that it existed at a certain time. For physical documents, many 
methods are known and widely used for timestamping: publication, witnessed 
signing and placing copies in escrow are among the most common. Techniques 
for timestamping digital documents, which are increasingly being used to replace 
their physical counterparts, have also become necessary. 

Loosely speaking, a timestamping scheme consists of two mechanisms: A 
stamping mechanism which allows a user to stamp a document at some specific 
time t, and a verification mechanism which allows a recipient to verify at a later 
time t' > t that the document was indeed stamped at time t. 

* Research supported by the Koshland Scholarship. 
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Previous Work 

Digital timestamping systems were first introduced in Haber and Stornetta [16], 
where three timestamping systems are described. In the naive timestamping 
protocol, the stamper sends the document to all the verifiers during timestamp 
generation. In the linking scheme, the stamper sends a one-way hash of the 
document to a trusted timestamping server. The server holds a current hash, 
which it updates by hashing it with the value sent by the stamper. This links 
the document to the previous documents and to the succeeding ones. In the 
distributed trust scheme, the document is used to select a subset of verifiers, to 
which the stamper sends a hash of the document. Bayer, Haber and Stornetta 
[3] improve upon the linking scheme, reducing the communication and storage 
requirements of the system and increasing its robustness, by replacing the linear 
list with a tree. Further work [17,7,6,8,5,4] is mainly focused on additional 
improvements in terms of storage, robustness and reducing the trust required in 
the timestamping server(s). 

One common feature of all the above protocols is that they require the stam- 
per to send messages to a central authority (or a distributed set of servers) at 
timestamp generation. 



Non-interactive Timestamping 

We call a timestamping scheme non-interactive if it does not require the stam- 
per to send messages at timestamp generation. Non-interactive timestamping 
schemes, if they exist, have a number of obvious advantages over active schemes. 
However, the notion of non-interactive timestamping seems self-contradictory. 
How can we prevent an adversary from faking timestamps, if no action is taken 
at timestamp generation? More precisely, suppose that an adversary “learns” 
some document at time t' > t and wants to convince a verifier that he stamped 
the document at time t. He can simulate the behavior of an “honest stamper” 
who signs the document at time t and generate a timestamp for the document. 
Note that the “honest stamper” does not need to send any messages before 
time t' and therefore the adversary will be able to convince a verifier that the 
document was stamped at time t. 

A crucial point in the argument above is that in order to perform this sim- 
ulation the adversary must store all the information available to the “honest 
stamper” at time t. We show that non-interactive timestamping is possible in a 
scenario in which parties have bounded storage. 



The Bounded Storage Model 

In contrast to the usual approach in modern Cryptography, Maurer’s hounded 
storage model [19] bounds the storage (memory size) of dishonest players rather 
than their running time. 

In a typical protocol in the bounded storage model a long random string r of 
length R is initially broadcast and the interaction between the polynomial-time 




462 



Tal Moran, Ronen Shaltiel, and Amnon Ta-Shma 



participants is conducted based on storing small portions of r. The security of 
such protocols should be guaranteed even against dishonest parties which have a 
lot of storage (much more than the honest parties) as long as they cannot store 
the whole string. Most of the previous work on the bounded storage model con- 
centrated on private key encryption [19,10,2,1,14,15,18,25], Key Agreement 
[10] and Oblivious Transfer [9, 12, 13]. In contrast, the notion of non-interactive 
timestamping cannot be implemented in the “standard cryptographic setting” . 
To the best of our knowledge this is the first example of a protocol in the bounded 
storage model which achieves a task that is impossible in the “standard crypto- 
graphic setting” . 



Non-interactive Timestamping in the Bounded Storage Model 

We now explain our setting for non-interactive timestamping in the bounded 
storage model. We assume that there are i rounds and at every round 1 < t < ^, 
a long random string r of length R is transmitted^ . 

The Stamping Mechanism: To stamp a document doc at time t, the scheme 
specifies a function Stamp(c?oc, r) whose output is short. To stamp the document 
doc, the stamper stores Stamp(doc, r). Intuitively, an adversary (who does not 
know doc at time t) is not able to store the relevant information and therefore 
is unable to stamp doc. 

The Verification Mechanism: The verifier stores a short “sketch” of r (denoted by 
Sketch(r)) for every time t. At a later time the stamper can send the timestamp 
Stamp(doc, r) and the verifier checks whether this timestamp is “consistent” 
with his sketch. 

Efficiency of a Timestamping Scheme: We say that a timestamping scheme is 
(T, V) efficient if the stamper’s algorithm runs online (that is, in one pass) using 
space T and polynomial time and the verifier’s algorithm runs online using space 
V and polynomial time. We want T and V to be small as functions of R. 



Our Notion of Security 

Loosely speaking, we want to ensure that even an adversary with a lot of storage 
(say storage M = SR for some constant i5 < 1) cannot forge a timestamp. 
Note, however, that a stamper with storage M > T can easily stamp k = 
M/T documents by running the stamping mechanism on some k documents and 
storing the generated timestamp (which is of length at most T). We will therefore 
say that a scheme is secure if no adversary with space M can successfully stamp 
significantly more than M/T documents. 

^ One can imagine that random bits are transmitted at high rate continuously by a 
trusted party, and that the string r consists of the bits transmitted between time t 
and time t + 1. 
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One can also consider a probabilistic notion of security: given a randomly 
chosen document, after the random string has passed, the adversary will not be 
able to stamp the document with more than negligible probability. We note that 
our notion of security implies this probabilistic notion as well. 

Security of a Timestamping Scheme: Given a (T, y)-efficient timestamping 
scheme. Let Mmax be the bound on the storage of the most powerful adver- 
sary. The scheme is a-optimal (a > 1) if, for every M < Mmax, no adversary 
with space M can successfully stamp more than documents (for a formal 
definition of “successful stamping” see definition 4). 

Notice that the definition above requires a-optimality for every M < Mmax- 
Requiring a-optimality for Mmax only, would have allowed adversaries with 
M <C Mmax to produce stamped documents, contradicting the definition’s 

spirit. The definition in its current form assures us that any adversary, weak or 
strong, with at most Mmax memory, can honestly stamp the same number of 
documents if given slightly more resources (storage aM instead of M). 



Our Results 

In this paper we give two explicit constructions of non-interactive timestamping 
schemes in the bounded storage model. The first is secure in an information- 
theoretic sense (in the spirit of previous constructions in the bounded storage 
model) . It requires no unproven assumptions and is secure against any adversary 
with arbitrary computational power as long as its storage capability is bounded. 
We now state this result (precise definitions appear in Section 3). 

Theorem 1. For every rj > 0 and large enough R there exists a timestamping 
scheme that is {T = R = efficient and 0{l)-optimal. 

More precisely, every adversary with space M* < Mf^ax = T^{R) has probabil- 
ity at most 2~^ * ' to successfully stamp more than 0{M* /T) documents. The 
timestamping scheme allows stamping documents of length R^^^^ and allows 
rO{u) rounds. 

Our second system is more efficient. To achieve this efficiency it relies on 
cryptographic assumptions and is therefore secure only against adversaries that, 
in addition to being storage bounded, are required to run in polynomial time. 

Theorem 2. Assume that there exist collision resistant hash functions. There 
exists a timestamping scheme that is (T = ^ y = 2('°g'°g-^)°^^')- 

efficient and O {log R)- optimal. More precisely, every adversary with space M* < 
Mmax = ^2{R) and running time polynomial in R has negligible probability to 
successfully stamp more than 0{logR ■ M*/T) documents. The timestamping 
scheme allows stamping documents of length R and allows R rounds. 

We remark that our technique can potentially reduce T and V to log*^^^^ R. 
This improvement requires an explicit construction of certain “expander graphs” 
that is not known today. More details will appear in the full version of the paper. 
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Advantages of Our Non-interactive Timestamping Scheme 

Non-interactive timestamp systems have some significant advantages over the 
interactive systems known to date. We summarize some of these below: 

— The only communication made before the verification process is the trans- 
mission of the random string r. This allows the timestamp system to be 
used in situations where communication is infeasible or undesirable. E.g., 
communication may be asymmetric: one central agency can broadcast all 
other users, while the users can not send messages to the agency. 

— Everyone can stamp and everyone can verify and no central control or ac- 
quaintance between stamper and verifier is needed. The decentralized na- 
ture of this scheme overcomes many of the “trust” problems with interactive 
timestamp systems. Even in distributed interactive systems, some measure 
of trust must be given to third parties. Our non-interactive timestamp sys- 
tem requires only that the random string be truly random and receivable by 
all parties. 

— Privacy. The scheme hides the fact that timestamping occurred at all, e.g., 
an inventor can safeguard her inventions without revealing even the fact of 
their existence. This also ensures privacy in an information-theoretic sense. 

— Our schemes solve some of the robustness problems that plague interactive 
timestamping systems. In particular, it is much more difficult to mount a 
denial-of-service attack: there is no central point that can shut down the sys- 
tem, and even temporarily shutting down communications will not prevent 
the creation of new timestamps. The lack of communication also makes it 
difficult for an attacker to tell whether such an attack has succeeded. 

Overview of the “Information-Theoretic” Construction 

The setup is the following: A string r of length R is transmitted and the stamper 
wants to convince a verifier that he “knew” a document prior to the transmission 
of this string. 

Using the Document to Select Indices: We implement the function Stamp(<ioc, r) 
as follows: Each document doc specifies some D indices that the stamper will 
remember from the long string. For that we use a bipartite graph where the 
left-hand vertices are all possible documents, the right-hand vertices are indices 
1 < z < i? and every left vertex has D neighbors. The indices selected by a 
document doc are the neighbors of doc. We want to force a stamper who would 
like to stamp k documents to store many indices. Intuitively, this is equivalent 
to the requirement that every k documents on the left have many different 
neighbors. This naturally leads to using an expander graph. (A bipartite graph 
is a {K, c)-expander if every k < K vertices on the left have at least kc neighbors 
on the right)^. 

^ We stress that we need to use unbalanced graphs (graphs which have many more 
vertices on the left than on the right-hand side). Such graphs were constructed in 
[24, 23]. However, we need graphs with somewhat different parameters. We construct 
such graphs by combining the constructions of [24] and a slight modification of [23, 
21] (which in turn relies on explicit constructions of “randomness extractors” from 
[21,22]). 
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To stamp a document doc, the stamper stores the content of the long string 
at the indices specified by doc. We use graphs with expansion c D, therefore 
to correctly stamp k documents simultaneously an honest stamper must store 
roughly kD bits. 

Using Random Sets for Verification: The function Sketch(r) is implemented as 
follows. The verifier chooses a random subset of size \Ti\ « Rj D from the indices 
of r and stores the content of r at these indices. After the transmission of the 
random string r, a stamper may send a timestamp of a document doc (that 
consists of the content of r at the D indices defined by doc). By the birthday 
problem, with high probability (over the choice of the verifier’s random set) 
some of these indices were also stored by the verifier. The verifier checks that 
the content sent by the stamper is consistent with what he stored. 

For a fixed string r and document doc, we say that a timestamp is “incorrect” 
if it differs from the “correct” timestamp of doc in many indices. The verification 
process we described guarantees that, with high probability, the verifier will 
reject an “incorrect” timestamp. 

A Sketch of the Security Proof: The basic intuition for the security proof is 
the following: Suppose that an adversary is able to successfully stamp some 
k documents. This means that he correctly stamped these k documents (as 
otherwise he is caught by the verifier). However, correctly stamping k documents 
requires storing kD indices, therefore if the storage of the adversary is kD < M < 
{k + 1)D he can successfully stamp at most k documents. This is the best we 
can hope for (by our notion of security) as he could have stamped k documents 
by simply running the “stamping mechanism” on any k documents. 

However, the argument above is not sufficient. It does not rule out the pos- 
sibility that the adversary can stamp many documents such that the identity of 
these documents depend on the random string r. Our security definition requires 
that for every adversary, with high probability (over the choice of r) there do 
not exist k documents which the adversary can successfully stamp. To prove 
the security of our scheme we use a “reconstruction argument” and show that 
any adversary which breaks the security guarantee can be used to compress the 
string r into a shorter string in a way that does not lose a lot of information. As 
the string r is random, we get a contradiction. The details are given in Section 4. 

Overview of the “Computationally-Bounded” Construction 

In the previous construction we chose | « R/D so that a random subset of size 
|7t| in [i?] would intersect a subset of size D. We chose |7t| = Z? « VR, allowing 
both the honest stamper and the verifier to store only \/R bits. We now show 
how to increase the efficiency and reduce the storage of honest parties to only 

2 (log log fl) 0(1) 

We use the same index selection mechanism as before. However, this time 
we choose D = ' (this precise choice of parameters corresponds to 

certain expander graphs). The verifier stores a short “hash” of the string r. When 
stamping a document the stamper also supplies a short “proof” that the indices 
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he sent are consistent with the hashed value held by the verifier. We implement 
such a hashing scheme using Merkle trees [ 20 ]. We show that if collision resistant 
hash functions exist then a polynomial time adversary with bounded storage 
cannot produce an incorrect timestamp of a document. More precisely, we show 
that after the transmission of the random string r, no polynomial time adversary 
can generate many documents and stamp them correctly. 

Hashing Documents Before Stamping Them: A bottleneck of our scheme is that 
when using expanders of degree D we can only handle documents of length D 
However, in a computational setting (as we have already assumed the existence 
of collision resistant hash functions) we can stamp longer documents by first 
hashing them to shorter strings and then stamping them. 

2 Preliminaries 

2.1 Notation 

The following conventions will be used throughout the paper. 

Random String: We refer to the random string as r, its length is denoted by 
R, and we think of it as composed of N blocks of length n denoted n, . . . , tat. 
For any subset S C [N], the expression r\s will be taken to mean the string 
generated by concatenating the blocks for all i G S. 

Hamming Distance: The Hamming Distance between two strings ri and r2 is 
the number of blocks on which the two strings differ. 

Online Space: For a family of functions F, we denote by Space(F) the maximum 
space used by any function in F. We say a function / can be computed online 
with space s if there is an algorithm using space at most s which reads its input 
bits one by one and computes / in one pass. 

2.2 Unbalanced Expander Graphs 

A graph is expanding if every sufficiently small set has a lot of neighbors. Our 
timestamping scheme relies on unbalanced expanders. 

Definition 1 (unbalanced expander graphs). A bipartite graph G = (Vi, 
V27 E) is {Kmax, c)-expanding if, for any set S CVi of cardinality at most Kmax, 
the set of its neighbors F{S) C V2 is of size at least els']. 

Note that we do not require that \Vi\ = \V2\. In fact, in our timestamping 
scheme we will use graphs in which jVij ^ |U2|- In this paper we need unbal- 
anced expanders with very specific requirements. Loosely speaking we want a 

® This is because in unbalanced expander graphs, the degree must be logarithmic in 
the number of left-hand vertices. Thus, shooting for degree D we can at most get 
that the left-hand set (which is the set of documents) is of size 2^. 
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{K max, i^{D))-expa,ndmg graph with as small as possible degree D and right- 
hand side of size roughly KmaxD. We use some existing constructions of unbal- 
anced graphs [24] as well as a modification of [23] to prove the next theorem 
(the proof will appear in the full version of the paper) . 

Theorem 3. There exists a fixed constant (3 > 0 such that for every Kmax < 
\Vi\, there exists a bipartite graph G = {V\,V 2 ,E) with left degree D that is 
{Kmax,c = (3D) expanding with D = 20(i°siogVi-t(iogiogtc^.,)3)^ |y^| ^ 

4(3KmaxD. Furthermore, this graph is explicit in the sense that given a vertex 
V €V\ and an integer 1 <i < D one can compute the i ’th neighbor of v in time 
polynomial in log | Vi | -I- log Z?. 

3 One Round Timestamping: The Model 

In this section we formally define our model for timestamping in the bounded 
storage model. The definitions are only for a single round. Definitions for multiple 
rounds are straightforward generalizations and will appear in the full version. 

A long random string r of length R is transmitted. The verifier takes a short 
sketch Sketch(r) of the random string and remembers it. An honest stamper, 
who wants to stamp a document doc G VOC, calculates y = Stamp((Zoc, r). 
When, at a later stage, the stamper wants to prove he knew the document doc at 
stamping time, he sends y to the verifier who computes Verify(Sketch(r), doc, y) 
and decides whether to accept or reject. More formally. 

Definition 2 (Non-Interactive timestamping scheme). A non-interactive 
timestamping scheme consists of three functions: 

— A stamping function Sta,mp{doc, r) . 

— A sketch function Sketch(r) (we allow Sketch to be a probabilistic function). 

— A verification function Verify (Sketch{r), doc, y). 

We require that for every string r and document doc, the function 
Verify (Sketch (r), doc, Stamp(doc, r)) accepts. 

We define efficiency: 

Definition 3 (Efficiency). A non-interactive timestamping scheme is {T,V)- 
efficient z/ Stamp can be computed online in space T = T{R) and time polynomial 
in R, and Sketch can be computed online in space V = V (R) and time polynomial 
in R. 

An honest stamper with space M can easily stamp M/T documents by run- 
ning the function Stamp in parallel. We require that no adversary with memory 
M* can successfully stamp significantly more than M* /T documents. We first 
define our model for adversaries: 

Definition 4 (adversary). An adversary consists of two functions: Store*(r), 
which produces a short string b, and Stamp* (doc, 6) which, given a document 




468 



Tal Moran, Ronen Shaltiel, and Amnon Ta-Shma 



doc and b, attempts to produce a timestamp for doc. The space M* of an adver- 
sary is the maximal length 0 / Store* (r) An adversary 7 -successfully stamps a 
document doc at (some fixed) r if 

Pr[Verify(Sketch(r), doc, Stamp*((ioc, Store*(r))) = Accept] > 7 



Note that this probability is over the coin tosses of Sketch and the internal 
random coins of the adversary. Note that when the adversary is not computation- 
ally bounded, we can assume w.l.o.g. that the adversary is deterministic (does 
not use random coins) 

We define security as: 



Definition 5 (Security). We say that a (T,V)- efficient timestamping scheme 
is a-optimal (for p>0, a>l, 7>0 and < R) if for every M* < 

and every adversary A with space M* , 



Pr 



M* 



IVl 

A can ^-successfully stamp documents at r 



< P 



Definition 5 is very strong. It guarantees that whenever the sketch size is 
small, no matter how powerful the adversary is, the number of documents the 
adversary can successfully stamp is very small. 



3.1 Security Against Feasibly Generated Documents 

Until now, we have allowed the adversary to run in arbitrary time. When the 
adversary is time-bounded, we can imagine scenarios where Definition 5 does 
not hold, yet the system is secure because the adversary does not have the com- 
putational power to find the documents he can illegally stamp. It makes sense to 
require security only against “feasibly generated documents”. We model feasi- 
bly generated documents by a probabilistic polynomial time machine Generate* 
which, on input r and an integer k, outputs k documents (all different). 

Definition 6 (Security against feasibly generated documents). We say 

that a (T,V)- efficient timestamping scheme is a-optimal (for p > 0, a > 1, 
7 > 0 and < R) against feasibly generated documents, if for every M* < 

every adversary A with space M* , and every polynomial time machine 
Generate* .• 



Pr 



A '-y -successfully stamps at r the documents Generate*(r, a^^) 



< P 



where the probability is over the choice of r and the random coins of Generate* 
and A. 

^ Note that the adversary is not required to run online in space M* . The function 
Store* (r) can be an arbitrary function of r. 
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4 A Scheme with Information-Theoretic Security 

In this section we describe a timestamping scheme which is information theoret- 
ically secure against arbitrary adversaries with small storage. 



4.1 The Stamping Scheme 

Let R, N and n be integers such that R = N ■ n. Given a string r G {0, 1}'^, 
we partition it into N blocks of n bits. We use to denote the z’th block of r. 
Let T>OC denote the set of all documents which can be stamped. Let G be a 
{Kmax, f3D) bipartite expander {Vi,V 2 ,E) with left degree D, where the “left” 
set Vi is VOC and the “right” set V 2 is [N], We define the three procedures 
Sketch, Stamp and Verify: 



- Stamp((ioc,r) = r\r{doc)- 

— Sketch(r) = where H has \H\ elements selected at random from [N], 

_ I Accept Sketch(r)|-Hnr(doc) = y\nnr(doc) 

] Reject otherwise 



Verify (Sketch(r), doc, y) = 



Notice that Sketch(r) contains the restriction of r to the indices of 7d, and 
therefore in particular contains the restriction of r to the indices of H r(doc), 
and y contains the restriction of r to r{doc) and therefore in particular contains 
the restriction of r to the indices of n r{doc). 



Theorem 4. Let G be a {K max, PD)- expanding graph, 7 > 0 and g = \ - Fix n 
large enough such that n > logN > and assume that log \T>OC\ < gf3Dn. If 
D\H\ > J^ln(i) then the scheme is (T = Dn,V = \H\{n + log N))- efficient and 
a-optimal for a = p = 7 and = (1 - 4,g)l3DnKmax- 

Plugging in parameters, a corollary of this is: 



Corollary 1. For every rj > 0 and large enough R we construct a timestamping 
scheme which is (T = efficient and O{l)-optimal with 

p = 2~^ \ 1 = 2“'^ and Mm^,^ = fi{R). The timestamping scheme allows 

stamping documents of length R^Al , 



We prove the corollary in the full version of the paper. We remark that 
a probabilistic argument shows that there exist bipartite graphs of degree D 
which have expansion (1 — o{l))D and using such non-explicit graphs in our 
construction (and setting g = o(l)) gives a = (1 -I- o(l)) optimality (whereas 
the theorem below only achieves a = 0(1)). In the remainder of the section we 
prove Theorem 4. 



4.2 Efficiency 

The verifier first chooses a random set H and stores it, and then stores R-h- This 
can indeed be done online with space V = \Ti\{n + log TV). We now explain how 
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the stamper can run online in space T = Dn. Observe that it can calculate the 
indices it will need to store before the random string goes by (since it knows doc 
before it sees the random string). As the indices take DlogN < Dn space, it 
can work in place, replacing each index with the contents of the block as it goes 
by. We now turn to proving security. 

4.3 Security 

In Definition 4 we defined “successful stamping” . Without loss of generality, we 
assume the adversary is deterministic. Let 7?.successfui(^) = ^Lccessfui(^) denote 
the set of random strings r on which the adversary y-successfully stamps at least 
k documents. We would like to prove that T^successfui has small probability. We 
first define a similar notion of “correct stamping” : 

Definition 7. An adversary correctly stamps a document doc at r if 
Stamp* (doc, Store* (r)) = r|p(j(oc). An adversary correctly stamps a document 
doc at r with at most err errors, if the Hamming distance between 
Stamp* (doc. Store* (r)) and r\r{doc) is at most err. 

We let 7^eorrect(fc) = (fc) denote the set of random strings r for 

which there are at least k documents that the adversary correctly stamps with at 
most err errors. 

The security proof has two parts. 

Lemma 1. Assume \og\DOC\ < g(3Dn, err = gf3D and n > For every 
k < Kjnax and any adversary with space M* < (1 — 4.g)/3kDn we have Prr[r S 

i^correct(fc)] < 

Wc then relate ^^correct T^successful- 

Lemma 2. Assume D\Ti\ > ^ln(d). For every k, 7?.successfui(fc) C TZeometik) . 
Together, 

Proof, (of Theorem 4) We need show that no adversary with space M* can 
7 -successfully stamp more than k = oc^^ documents. Notice that for M* < 
k=^< = K^ax and M* = ^ = kDn{l - 4g)(3. Hence, 

Pr^[r G 7^successful(A:)] < Pr^[r G 7^correct(A:)] < tlig 

first inequality follows by Lemma 2 and the second inequality follows by Lemma 
1. The third inequality is because A: > 1. 



4.4 The Proof of Lemma 1 

We first define a compression function Com(r) for r G 7?.correct(A:). Let r G 
TZcoiiect{k) . Suppose doci, . . . , dock are the documents that the adversary cor- 
rectly stamps at r with at most err errors. Denote F = Ui<i<fcT(doCi), that 
is the set of all indices which are selected by one of the k documents. Denote 




Non-interactive Timestamping in the Bounded Storage Model 



471 



BAV = [Ji<i<kBA'D{doci), that is the set of all indices which are bad for at 
least one of the k documents. We call an index j G F \ BAV useful. We choose 
Com(r) to be: 

Com(r) = (doci, . . . , dock\ Store*(r); r|^; BAV\ r^BAv) 

We define a “decompression” function Dec(a) that gets as input Com(r) and 
tries to recover r. Let r be a string from 7?.correct) i-e., a string on which the stam- 
per correctly stamps fc-documents with at most err errors. From doci, . . . , dock, 
that appear in Com(r), we recover the set F , and from Com(r) we learn which 
indices are in the subset BAV C F. Now, for every 1 < j < N we recover rj as 
follows: 

— If j ^ F then we use the information in r^p to find rj. 

— If j G BAV then we use the information in C|g_ 4 x> to find rj. 

— If j G F \ BAV then we find an i such that 

j G F{doCi). We run Stamp* (doci, Store* (r)) and take rj from its output. 

The only case where we do not take the value of rj directly from Com(r) is for 
j G F \ BAV. However, all such indices j are useful, and therefore we correctly 
decode them. Therefore, for every r G 7?.correct we have Dec(Com(r)) = r. 

We now analyze the output length of the compression function Com. The 
documents doci, . . . ,dock take fclog \VOC\ bits space. |Store*(r)| < M* , by def- 
inition. As G is expanding and k < K^ax, |C| > fdkD and therefore r|p < 
R — (3kDn. We represent BAV C T by a binary vector of length \F\ < kD which 
has a “one” for indices in T n BAV and a “zero” for indices in T \ BAV. Each of 
the k documents is correctly stamped at r with at most err errors, and therefore 
for every such document doci we have \BAVdoci \ < err and \BAV\ < k-err. The 
representation of r|g_ 4 x> is therefore bounded by k • err ■ n. We conclude that the 
total length of the output of Com is at most /clog \ VOC\ + M* + R — (ikDn + 
kD + k ■ err ■ n. We denote this quantity R — A. 

As every r G 7?.correct has a small description (of length R — A) we have 
l^correctl < and therefore Pr[r G 7?.correct] < 2~"^. We have kD < 

gfdkDn (for large enough n). We also have err = gPD and by our assump- 
tion log \VOC\ < gfdnD. Altogether, R — A < R — (iDkn\f — 3g] + M* . We get 
that Z\ > (1 — ig)(3Dkn — M* . As M* < (1 — Ag)(3kDn we get A > gfdkDn as 
desired. 



4.5 The Proof of Lemma 2 

Claim. Fix an adversary, a string r and a document doc. If the adversary 7 - 
successfully stamps doc at r then it correctly stamps doc at r with at most 
i^ln(i) errors. 

Proof. We prove the contrapositive. Suppose for some doc G VOC and r, the 
timestamp provided by the adversary for doc has err* > err incorrect indices. 
Denote by BAVdoc GL [A^] the set of incorrect indices. The verifier catches the 
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adversary iff BAVdoc i.e. if one of the incorrect indices is in H (the 

set of indices stored by Sketch). For each index in H, the probability that it 
hits BAVdoc is and the probability that none of them hits BAVdoc is 

(1 — < e TT ^ (assuming the set is chosen with repetition). Hence, 

err\rt\ _ . , 

the adversary 7 -successfully stamps doc with 7 < e « . Turning that around, 

if the adversary 7 -successfully stamps doc, then err < l^ln(i). 

In particular, for every r and doc for which the stamper is 7 successful, 
err < |^ln(i) < gf3D. Hence, the stamper correctly stamps doc at r with at 
most err = g[3D errors. It follows that 7?.successfui(fc) Q i^correct(^) as desired. 

5 An Efficient Scheme Secure 

Against Polynomial Time Adversaries 

The scheme suggested in Section 4 requires the honest parties (stamper and 
verifier) to store many bits, namely TV >> R where T is the stamp size, V 
the sketch size and R the random string length. In other words, if the stamp 
size is very small then the sketch size V is almost all of the random string. 
Our second scheme has small sketch and stamp size. This is achieved by using 
the previous stamping scheme with a small T and using a different verification 
method that allows the verifier to use much less storage. This verification method 
is valid only against computationally bounded adversaries and takes advantage 
of the bounded computational capabilities of the cheating party. In this section 
we briefly describe the scheme and give a sketch of the proof. Due to space 
constraints, the exact details will appear in the full version. We assume the 
reader has some familiarity with collision resistant hash functions® [11] (CRHFs) 
and Merkle trees [20]. 



5.1 The Stamping Scheme 

Let H = {h: {0, 1}^” {0, 1}”} be a family of CRHFs® and R = logH + Nn. 

We partition a string r G {0, 1}-^ into IV -|- 1 blocks, denoted ro,ri, . . . ,rN where 
ro is of length log H and for i > 0, rt is of length n. The string ro (which didn’t 
appear in the previous scheme) serves as a “key” to the “hash function” . We use 
the same “index selection” mechanism as in Section 4; G is a bipartite graph 
with left degree D, where the left set is the set VOC and the right set is the set 
[N], We now describe the stamp, sketch and verify procedures: 

® Also called “collision intractable” or “collision free” hash functions 
® Informally, this means that no computationally bounded adversary can find xi 7^ X2 
such that h{xi) = h(x2) when given a random function h in the family. In this 
paper we require hash functions which are hard even for adversaries which run in 
time slightly super-polynomial in n. This is because the adversary runs in time 
polynomial in R, whereas n can be very small compared to R. 
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Sketchc The verifier stores ro and the root of a Merkle tree whose leaves are 
ri, . . . ,rAT, using the hash function specified by ro Note that Sketchc is 
deterministic (unlike the case of the previous section where Sketch is prob- 
abilistic). 

Stampi, Given a document doc G T>OC the stamper uses the function Stamp 
of the previous section, and for every j G r(doc) stores Vj along with the 
Merkle-path from rj to the root of the tree®. 

Verify ,3 Given a document doc, a “root” a and a stamp y composed of D Merkle- 
paths, the function Verify,, (o, doc, y) accepts iff all paths are valid (that is, 
the label of the tree root computed from the Merkle-paths is consistent with 
that stored by the verifier). 

We note that both Sketchc and Stamp,, can be computed online in small 
space, using the standard method for computing Merkle-trees online. For our 
choice of parameters, this gives the required efficiency. Using the expander con- 
struction of Theorem 3 for G, we obtain a scheme with efficiency ' 

(and thus prove Theorem 2). It is possible to get an even more efficient scheme 
with T = V = (log However, this result requires a better graph than the 

one constructed in Theorem 3. It is folklore that such graphs exist by a proba- 
bilistic argument. However, at this point no such explicit construction is known. 
In the remainder of the section we sketch the proof of security of the scheme 
(The complete proof of Theorem 2 appears in the full version of the paper). 



5.2 Security 

We follow the outline of the correctness proof of the information-theoretic version 
of Section 4, except that now we work with security for generated documents. We 
show that if the adversary successfully stamps many documents then he correctly 
stamps many documents which is impossible by the “reconstruction argument” 
of the previous section. 

Fix some adversary with memory M* and running time polynomial in R. We 
use coins to denote the concatenation of the random coins used by Stamp* and 
Generate*. We define to be the set of pairs {r, coins) such that, for 

every doc G Generate*(r, k), the Merkle paths output by Stamp* {Store* {r) , doc) 
are correct (i.e. that they are actual paths in the Merkle tree whose leaves are 
the blocks of r). In particular, this implies that the leaves of the paths are a 
“correct” timestamp for the k documents output by Generate* (r, k) in the sense 
of Section 4. 

^ Informally, a Merkle tree of ri, . . . , rjv using the hash function h is a labeled binary 
tree, where the leaves are labeled by r\,. . . ,tm and the label of each internal node 
is given by applying h to the concatenation of its children’s labels. 

® A Merkle-path from rj consists of rj along with the labels of the siblings of all 
nodes on the path from rj to the root of the Merkle tree. Such as sequence contains 
sufficient information to compute the labels of all nodes on the path to the root node 
(by repeatedly applying the hash function). 
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We now want to define the computational analogue of T^successfui and relate it 
to We define be the set of all pairs (r, coins) for which 

the adversary successfully stamps the k documents output by Generate^ (r, k) 
(i.e. for all doc G GenerateJ(r, k), the the Merkle paths output by 
Stamp* {Store* (r), doc) are accepted by the verifier). This definition of success 
corresponds to the notion of security in Definition 6. 

We prove that Prr^cozns[{r, coins) G \ T^l°^Lt{k)] < neg (where 

neg is a negligible function of n). This is because we can imagine a machine which, 
when given a random hash function rg, uniformly selects the pair {r, coins) and 
runs the adversary. The claim follows, as for every pair (r, coins) G ^su™essfui(^)\ 
P-lomctik), this machine can find a collision for rg. Thus we have a computational 
analogue of Lemma 2. 

We then show (using Lemma 1) that every random string for which the 
adversary can correctly stamp many documents can be compressed, which gives 
a bound on the probability that this occurs. 

6 Discussion and Open Problems 

Dealing with Errors: Most protocols in the Bounded Storage Model, and ours 
among them, assume the broadcast random string is received identically and 
without errors by all parties. However, in many natural implementations of such 
protocols, this assumption may not be realistic (e.g. when the random string has 
a natural source). 

Our information-theoretic scheme can be made to work even with errors 
(provided the error rate is low enough) by allowing the verifier to accept a 
timestamp even if the the blocks in the intersection differ by a small amount. 
The proof of Lemma 1 already allows the adversary to make some errors when 
stamping, and still be considered successful. Increasing the error rate by a small 
amount will not invalidate the lemma (although the parameters suffer slightly). 

The computational scheme, on the other hand, currently requires the random 
string to be received perfectly by all parties. It is an interesting open question 
whether this requirement can be removed. 

Removing the Need for Constant Monitoring: Our timestamping schemes require 
the verifier to run the Sketch function in every round for which it may, someday, 
want to verify documents. The verifier must therefore constantly monitor the 
random string, which is too much to ask from a casual user of the system. 

An implementation of our timestamp systems can overcome this difficulty by 
using “verification centers”: dedicated third parties who act as verifiers. In some 
sense, such third parties appear in all previous timestamp protocols. This raises 
the issue of how much trust the user must place in the verification center. 

In the computational version of our protocol, the verification center is also 
easily auditable by casual users: the verifier is deterministic and has no secret 
information. Any user can act as a verifier for a single round, and compare its 
state to that of the verification center: any inconsistency will be instantly visible. 
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Online Versus Locally- Computable: The strategies for the honest players are 
efficient in the sense that they work online using small space and polynomial 
time. A stronger notion of efficiency called “locally-computable” was suggested in 
[25]. It requires the honest players to store a small substring of the string r. More 
precisely, the players need to choose a subset S C [i?j before the random string 
is transmitted and only store rjg. We point out that the “information-theoretic” 
scheme (Section 4) has this additional property, whereas the “computationally- 
bounded” scheme (Section 5) does not®. Natural open problems are whether the 
“information-theoretic” scheme can be improved to yield better parameters, and 
whether the “computationally-bounded” scheme can be improved to run with 
strategies that are locally computable. 

Acknowledgements 

We thank Danny Harnik, Moni Naor and Muli Safra for helpful discussions, and 
the anonymous reviewers for their constructive comments. 



References 

1. Y. Aumann, Y.Z. Ding, and M. O. Rabin. Everlasting security in the bounded 
storage model. IEEE Transactions on Information Theory, 48, 2002. 

2. Y. Aumann and M. O. Rabin. Information theoretically secure communication 
in the limited storage space model. In Advances in Crypology — CRYPTO ’99, 
volume 1666, pages 65-79, 1999. 

3. D. Bayer, S. Haber, and W. S. Stornetta. Improving the efficiency and reliability of 
digital time-stamping. In R. M. Capocelli et ah, editor. Sequences II: Methods in 
Communication, Security and Computer Science, pages 329-334. Springer- Verlag, 
Berlin Germany , New York, 1992. 

4. J. Benaloh and M. de Mare. Efficient broadcast time-stamping. Technical Report 1, 
Clarkson University Department of Mathematics and Computer Science, August 
1991. 

5. Josh Cohen Benaloh and Michael de Mare. One-way accumulators: A decentralized 
alternative to digital signatures. Lecture Notes in Computer Science, 765:274, 1994. 

6. Ahto Buldas and Peeter Laud. New linking schemes for digital time-stamping. In 
Information Security and Cryptology, pages 3-13, 1998. 

7. Ahto Buldas, Peeter Laud, Helger Lipmaa, and Jan Villemson. Time-stamping 
with Binary Linking Schemes. In Hugo Krawczyk, editor. Advances on Cryptology 
— CRYPTO ’98, volume 1462 of Lecture Notes in Computer Science, pages 486- 
501, Santa Barbara, USA, August 1998. Springer- Verlag. 

8. Ahto Buldas, Helger Lipmaa, and Berry Schoenmakers. Optimally efficient ac- 
countable time-stamping. In Public Key Cryptography, pages 293-305, 2000. 

® In the “computationally-bounded” scheme , both stamper and verifier read blocks 
of the string r online, and need to “hash them” quickly before reading the next 
incoming blocks. Thus, to implement this scheme, one needs to use hash functions 
which can be computed very efficiently. 




476 



Tal Moran, Ronen Shaltiel, and Amnon Ta-Shma 



9. Christian Cachin, Claude Crepeau, and Julien Marcil. Oblivious transfer with 
a memory- bounded receiver. In IEEE Symposium on Foundations of Computer 
Science, pages 493-502, 1998. 

10. Christian Cachin and Ueli Maurer. Unconditional security against memory- 
bounded adversaries. In Burton S. Kaliski Jr., editor. Advances in Cryptology — 
CRYPTO ’97, volume 1294 of Lecture Notes in Computer Science, pages 292-306. 
Springer- Verlag, 1997. 

11. I.B. Damgard. Collision free hash functions and public-key signature schemes. 
In Advances in Cryptology — EUROCRYPT ’87, Proceedings, volume 304, pages 
203-216. Springer- Verlag, 1987. 

12. Yan Zong Ding. Oblivious transfer in the bounded storage model. Lecture Notes 
in Computer Science, 2139:155, 2001. 

13. Yan Zong Ding, Danny Harnik, Alon Rosen, and Ronen Shaltiel. Constant-round 
oblivious transfer in the bounded storage model. In Theory of Cryptography — 
TCC ’04, volume 2951, Cambridge, MA, USA, February 2004. Springer- Verlag. To 
appear. 

14. Y.Z. Ding and M.O. Rabin. Hyper-encryption and everlasting security. In Annual 
Symposium on Theoretical Aspects of Computer Science (STACS), pages 1-26, 
2002 . 

15. Stefan Dziembowski and Ueli Maurer. Tight security proofs for the bounded- 
storage model. In Proceedings of the Sfth Annual ACM Symposium on Theory of 
Computing, pages 341-350. ACM, May 2002. 

16. Stuart Haber and W. Scott Stornetta. How to time-stamp a digital document. 
Lecture Notes in Computer Science, 537:437, 1991. 

17. Stuart Haber and W. Scott Stornetta. Secure names for bit-strings. In ACM 
Conference on Computer and Communications Security, pages 28-35, 1997. 

18. C. Lu. Hyper-encryption against space-bounded adversaries from on-line strong 
extractors. In Advances in Cryptology — CRYPTO ’02, volume 2442, pages 257- 
271. Springer, 2002. 

19. U. Maurer. Conditionally-perfect secrecy and a provably-secure randomized cipher. 
Journal of Cryptology, 5(l):53-66, 1992. 

20. Ralph C. Merkle. A certified digital signature. In Proceedings on Advances in 
cryptology, pages 218-238. Springer- Verlag New York, Inc., 1989. 

21. R. Raz, O. Reingold, and S. Vadhan. Error reduction for extractor. In 40th IEEE 
Symposium on Foundations of Computer Science, pages 191-201, 1999. 

22. A. Srinivasan and D. Zuckerman. Computing with very weak random sources. 
SIAM Journal on Computing, 28:1433-1459, 1999. 

23. Amnon Ta-Shma. Storing information with extractors. Information Processing 
Letters, 83(5):267-274, September 2002. 

24. Amnon Ta-Shma, Christopher Umans, and David Zuckerman. Loss-less condensers, 
unbalanced expanders, and extractors. In ACM, editor. Proceedings of the 33rd 
Annual ACM Symposium on Theory of Computing: Hersonissos, Crete, Greece, 
July 6-8, 2001, pages 143-152, New York, NY, USA, 2001. ACM Press. 

25. S.P. Vadhan. On constructing locally computable extractors and cryptosystems in 
the bounded storage model. In Advances in Cryptology — CRYPTO ’03. Springer, 
2003. 




IPAKE: Isomorphisms for Password-Based 
Authenticated Key Exchange 



Dario Catalano^, David Pointcheval^, and Thomas Pornin^ 



^ CNRS-LIENS, Ecole Normale Superieure, Paris, France 
{Dario . Catalano , David . Pointcheval}@ens . f r 
^ Cryptolog, Paris, France 
Thomas . PorninScryptolog . com 



Abstract. In this paper we revisit one of the most popular password- 
based key exchange protocols, namely the OKE (for Open Key Exchange) 
scheme, proposed by Luck in 1997. Our results can be highlighted as fol- 
lows. First we define a new primitive that we call trapdoor hard-to-invert 
isomorphisms, and give some candidates. Then we present a generic 
password-based key exchange construction, that admits a security proof 
assuming that these objects exist. Finally, we instantiate our general 
scheme with some concrete examples, such as the Difiie-Hellman func- 
tion and the RSA function, but more interestingly the modular square 
root function, which leads to the first scheme with security related to 
the integer factorization problem. Furthermore, the latter variant is very 
efficient for one party (the server). Our results hold in the random-oracle 
model. 



1 Introduction 

Shortly after the introduction of the revolutionary concept of asymmetric cryp- 
tography, proposed in the seminal paper by Diffie and Heilman [9], people real- 
ized that properly managing keys is not a trivial task. In particular private keys 
tend to be pretty large objects, that have to be safely stored in order to preserve 
whatever kind of security. Specific devices have thus been developed in order 
to help human beings in storing their secrets, but it is clear that even the most 
technologically advanced device may become useless if lost or stolen. In principle 
the best way to store a secret is to keep it in mind. In practice, however, human 
beings are very bad at remembering large secrets (even if they are passwords or 
pass-phrases) and very often they need to write passwords down on a piece of 
paper in order to be able to keep track of them. As a consequence, either one 
uses a short (and memorable) password, or writes/stores it somewhere. In the 
latter case, security eventually relies on the mode of storage (which is often the 
weakest part in the system: a human-controlled storage). In the former case, a 
short password is subject to exhaustive search. 

Indeed, by using a short password, one cannot prevent a brute force on-line 
exhaustive search attack: the adversary just tries some passwords of its own 
choice in order to try to impersonate a party. If it guesses the correct password, 
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it can get in, otherwise it has to try with another password. In many applications, 
however, the number of such active attacks can be limited in various ways. For 
example one may impose some delay between different trials, or even closing the 
account after some fixed number of consecutive failures. Of course the specific 
limitations depend very much on the context - other kind of attacks, such as 
Denial of Service ones, for example, should be made hard to mount either. In 
any case, the important point we want to make here is that the impact of on- 
line exhaustive search can be limited. However on-line attacks are not the only 
possible threats to the security of a password-based system. Imagine for example 
an adversary who has access to several transcripts of communication between a 
server and a client. Clearly the transcript of a “real” communication somehow 
depends on the actual password. This means that a valid transcript (or several 
ones) could be used to “test” the validity of some password: the adversary chooses 
a random password and simply checks if the produced transcript is the same as 
the received one. In this way it is possible to mount an (off-line) exhaustive search 
attack that can be much more effective than the on-line one, simply because, in 
this scenario, the adversary can try all the possible passwords just until it finds 
the correct one. Such an off-line exhaustive search is usually called “dictionary 
attack” . 



1.1 Related Work 

A password-based key exchange is an interactive protocol between two parties 
A and B, who initially share a short password pw, that allows A and B to 
exchange a session key sk. One expects from this key to be semantically secure 
w.r.t. any party, but A and B who should know it at the end of the protocol. 
The study of password-based protocols resistant to dictionary attacks started 
with the seminal work of Bellovin and Merritt [3] , where they proposed the so- 
called Encrypted Key Exchange protocol (EKE). The basic idea of their solution 
is the following: A generates a public key and sends it to B encrypted - using a 
symmetric encryption scheme - with the common password. B uses the password 
to decrypt the received ciphertext. Then it proceeds by encrypting some value 
k using the obtained public key. The resulting ciphertext is then re-encrypted 
(once again using the password) and finally sent to A. Now A can easily recover 
k, using both his own private key and the common password. A shared session 
key is then derived from k using standard techniques. 

A classical way to break password-based schemes is the partition attack [4] . 
The basic idea is that if the cleartexts encrypted with the password have any 
redundancy, or lie in a strict subset, a dictionary attack can be successfully 
mounted: considering one flow (obtained by eavesdropping) one first chooses a 
password, decrypts the ciphertext and checks whether the redundancy is present 
or not (or whether the plaintext lies in the correct range.) This technique allows 
to quickly select probable passwords, and eventually extract the correct one. 

The partition attack can be mounted on many implementations of EKE, 
essentially because a public key usually contains important “redundancy” (as 
a matter of fact a public key - or at least its encoding - is not in general 
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a random-looking string). Note that in the described approach (for EKE), the 
same symmetric encryption (using the same password) is used to encrypt both 
the public key, and the ciphertext generated with this key. This may create ad- 
ditional problems basically because these two objects (i.e. the public key and 
the ciphertext) are very often defined on completely unrelated sets. A nice ex- 
ception to this general rule are ElGamal keys [12]. This is thus the sole effective 
application of EKE. 

As noticed by the original authors [3], and emphasized by Lucks [17], it is 
counter-intuitive (■ ■ ■) to use a secret key to encrypt a public key'\ For this 
reason Lucks [17] proposed OKE, (which stands for Open Key Exchange). The 
underlying idea of this solution is to send the public key in clear and to en- 
crypt the second flow only. Adopting this new approach, additional public- key 
encryption schemes can be considered (and in particular RSA [23] for instance). 
However, one has to be careful when using RSA. The problem is that the RSA 
function is guaranteed to be a permutation only if the user behaves honestly 
and chooses his public key correctly. In real life, however, a malicious user may 
decide to generate keys that do not lead to a permutation at all. In such a 
case a partition attack becomes possible: an RSA-ciphertext would lie in a strict 
subset if Z*. For this reason Lucks proposed a variant of his scheme, known 
as Protected OKE, to properly deal with the case of RSA. Later on, however, 
MacKenzie et al. [19, 18] proved that the scheme was flawed by presenting a way 
to attack it. At the same time they showed how to repair the original solution 
by proposing a new protocol they called SNAPI (for Secure Network Authen- 
tication with Password Identification), for which they provided a full proof of 
security in the random-oracle model. This proof, however, is specific to RSA, in 
the random-oracle model, and very intricate. 

Interestingly enough, in the standard model, the problem of secure password- 
based protocols was not treated rigorously until very recently. The first rigorous 
treatment of the problem was proposed by Halevi and Krawczyk [15] who, how- 
ever, proposed a solution that requires other setup assumptions on top of that 
of the human password. Later on, Goldreich and Lindell [14] proposed a very 
elegant solution that achieves security without any additional setup assumption. 
The Goldreich and Lindell proposal is based on sole existence of trapdoor per- 
mutations and, even though very appealing from a theoretical point of view, is 
deflnitely not practical. The first practical solution was proposed by Katz, Os- 
trovsky and Yung [16]. Their solution is based on the Decisional Diflie-Hellman 
assumption and assumes that all parties have access to a set of public parameters 
(which is of course a stronger set-up assumption than assuming that only human 
passwords are shared, but still a weaker one with respect to the Halevi-Krawczyk 
ones for example). Even more recently Gennaro and Lindell [13] presented an 
abstraction of the Katz, Ostrovsky and Yung [16] protocol that allowed them to 
construct a general framework for authenticated password-based key exchange 
in the common reference string model. 

We note here that even though from a mathematical point of view a proof in 
the standard model is always preferable to a proof in the random-oracle model. 
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all the constructions in the standard model presented so far are way less efficient 
with respect to those known in the random-oracle model. It is true that a proof 
in the random-oracle model should be interpreted with care, more as a heuristic 
proof than a real one. On the other hand in many applications efficiency is a big 
issue and it may be preferable to have a very efficient protocol with a heuristic 
proof of security than a much less efficient one with a complete proof of security. 

1.2 Our Contributions 

In this paper, we revisit the generic OKE construction by clearly stating the 
requirements about the primitive to be used: we need a family of isomorphisms 
with some specific computational properties that we call trapdoor hard-to-invert 
isomorphisms (see next section for a formal definition for these objects). Very 
roughly a trapdoor hard-to-invert isomorphism, can be seen as an isomorphic 
function that is in general hard to invert, unless some additional information 
(the trapdoor) is provided. Note that such an object is different with respect to 
traditional trapdoor functions. A trapdoor one-way function is always easy to 
compute, whereas a trapdoor hard-to-invert function may be not only hard to 
invert, but - at least in some cases - also hard to compute [10]. As it will become 
apparent in the next sections, this requirement is not strong because basically 
all the classical public-key encryption schemes fit it (RSA [23], Rabin with Blum 
moduli [22], ElGamal [12], and even the recent Okamoto-Uchiyama’s [20] and 
Paillier’s schemes [21]). More precisely our results can be described as follows. 

First, after having described our security model, we present a very general 
construction ~ denoted IPAKE for Isomorphism for Password-based Authenticated 
Key Exchange - and we prove it is secure. Our security result relies on the com- 
putational properties of the chosen trapdoor hard-to-invert isomorphism family, 
in the random-oracle model. As a second result we pass instantiating the general 
construction with specific encryption schemes. We indeed show that trapdoor 
hard-to-invert isomorphisms can be based on the Diffie-Hellman problem, on 
the RSA problem, and even on integer factoring. 

For lack of space, we refer to the full version [8] for the two first applications, 
since they are not really new. Plugging FlGamal directly leads to one of the 
AuthA variants, proposed to IFFF P1363 [2], or to PAK [5]. The security has 
already been studied in several ideal models [5-7]. The case of RSA leads to 
a scheme similar to RSA-OKE, SNAPI [19,18], or to the scheme proposed by 
Zhu et al. [26]. 

More interestingly using such methods we can construct a very efficient solu- 
tion from the Rabin function. To our knowledge this is the first efficient password- 
based authenticated key exchange scheme based on factoring. 

2 Preliminaries 

Denote with N the set of natural numbers and with K+ the set of positive real 
numbers. We say that a function e : N — > K“'" is negligible if and only if for every 
polynomial P{n) there exists an ng G N such that for all n > ng, e(n) < 1/P(n). 
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If A is a set, then a ^ A indicates the process of selecting a at random and 
uniformly over A (which in particular assumes that A can be sampled efficiently). 

2.1 Trapdoor Hard-to-Invert Isomorphisms 

Let / be a set of indices. Informally a family of trapdoor hard-to-invert isomor- 
phisms is a set F = {fm : Xm Ym}mei satisfying the following conditions: 

1 . one can easily generate an index m, which provides a description of the func- 
tion fm - a morphism its domain X^. and range Ym (which are assumed 
to be isomorphic groups), and a trapdoor tm', 

2. for a given m, one can efficiently sample pairs (x, fm{x)), with x uniformly 
distributed in Xm', 

3. for a given m, one can efficiently decide Ym', 

4. given the trapdoor tm, one can efficiently invert fm(x), and thus recover a;; 

5. without the trapdoor, inverting fm is hard. 

This is almost the same definition as for trapdoor one-way permutations with 
homomorphic properties. There is a crucial difference however: one can sample 
pairs, but may not necessarily be able to compute fm{x) for a given x (point 2 
above). As a consequence, the function is hard-to-invert, but it may be hard to 
compute as well. 

More formally we say that F defined as above is a family of trapdoor hard- 
to-invert isomorphisms if the following conditions hold: 

1 - There exist a polynomial p and a probabilistic polynomial time Turing 
Machine Gen which on input 1^ (where fc is a security parameter) outputs 
pairs {m,tm) where m is uniformly distributed in I and \tm\ < p{k). The 
index m defines Xm and Ym, which are isomorphic groups, an isomorphism 
fm from Xm onto Ym and a set Rm of values uniformly samplable, which 
will be used to sample (x, fm(x)) pairs. The information tm is referred as 
the trapdoor. 

2.1 - There exists a polynomial time Turing Machine Sample® which on input 

m G I and r G Rm outputs x G Xm- Furthermore, for any m, the machine 
Sample®(m, •) implements a bijection from Rm onto Xm- 

2.2 - There exists a polynomial time Turing Machine Sample^, such that on in- 

put m G I and r G Rm it outputs fm{x) for x = Sample® (m, r). Therefore, 
Sample*^(m, r) = /m(Sample®(m, r)). 

3 - There exists a polynomial time Turing Machine Check*^ which, on input 

m G I and any y, answers whether y G Ym or not. 

4 - There exists a (deterministic) polynomial time Turing Machine Inv such 

that lnv(m, tm, fm{x)) = x, for all x G Xm and for all m G I- 

5 - For every probabilistic polynomial time Turing Machine A we have that, 

for large enough k, 

Pr[m ^ I', x ^ Xm', y = fm{x) '- A{m, y) = x] < e{k), 
where e(-) is a negligible function. 

The last property is our formal hard-to-invert notion, which is quite similar to 
the usual one-way notion: they just differ if Sam pie® (m, •) is one-way. 
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2.2 Verifiable Sub-family of Trapdoor Hard-to-Invert Isomorphisms 

In the above definition, it is clear that for any m G I, the function fm is an 
isomorphism from the group Xm onto Y^- However, in practice, the family of 
functions {fm}m maybe indexed by a potentially larger set S (i.e. I C S), 
for which there may exist some indices that do not lead to an isomorphism. 
Therefore, we require more properties to be satisfied. 

— there exists a large subset ICS, such that F = {fm ■ X^ Ym}mGi is a 
family of trapdoor hard-to-invert isomorphisms; 

— there exists a set J, of indices which provide an isomorphism - such that 
I C J C S which admits an efficient zero-knowledge proof of membership. 

The last property turns out to be crucial for the application we have in mind. In 
our setting the client has to choose the specific function to use in the protocol. 
This means that a dishonest client (i.e. one that does not share a password 
with the server) could propose an index whose corresponding function is not 
an isomorphism. This would give him the ability to run a partition attack (as 
already explained for RSA). For this reason we require the client to produce a 
function / together with a proof that it is actually an isomorphism. 



2.3 Zero-Knowledge Proofs of Membership 

As noticed above, the only property we want to be able to verify is the isomor- 
phic one, and thus the fact that the index m actually lies in J: we just want 
the adversary not to be able to prove a wrong statement, we do not care about 
malleability [11]. One second point is that the zero-knowledge property will be 
required in the security proof: a valid index m is given, one tries to use the adver- 
sary to solve a hard problem related to m. Thus, we need to be able to provide a 
proof of validity of m, without any witness. Note however that the simulation is 
performed for valid statements only, and thus simulation soundness [24] is not 
required. Moreover, since we just have to simulate one proof without the wit- 
ness (other executions will be performed as in an actual execution) concurrent 
zero-knowledge is not needed either. 

For efficiency reasons, we will focus on a specific class of zero-knowledge 
proofs: for a given statement m, the verifier sends a random seed seed and then 
the prover non-interactively provides a proof p = Prove'"(m, w, seed) using a 
witness w that m € J, w.r.t. the random seed seed; the proof can be checked 
without the witness Check'"(m, seed,p). In our protocol, honest players will sam- 
ple m G I, and thus together the trapdoor tm- This trapdoor will generally be a 
good witness. More formally we require: 

— Completeness - Prove™ and Check™ are two efficient (polynomial time) al- 
gorithms, and for any m G J and any challenge seed, a witness helps to build 
a proof p= Prove™(m, w, seed) which is always accepted: Check™(m, seed,p) 
accepts; 
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— Soundness - for any m ^ J, the probability for any adversary (on its random 
tape and the random seed seed) to forge a valid proof (accepted by the 
Check'" algorithm) is negligible within time t. Succ^°'®^(t) will denote the 
maximal success probability for any adversary within time t; 

— ROM-simulatability - granted the programmability of the random oracle, for 
any m G I and any seed, there exists an efficient way to perfectly simulate 
an accepted proof. 

2.4 Concrete Examples 

The DifRe-Hellman Family. The most natural example of family of trapdoor 
hard-to-invert isomorphisms is the Diffie-Hellman one. The machine Gen, on 
input the security parameter k, does as follows. First it chooses a random prime 
q of size k, and a prime p such that q divides p — 1. Next, it chooses a subgroup 
G of order q in Z* and a corresponding generator g. Finally it chooses a random 
element a in Z^, it sets h = g°‘ mod p and outputs the pair (to, tm) where tm = a 
and TO is an encoding of {g,p, q, h). This defines our set I. 

Now fm is instantiated as follows. Set Xm = = G\{1}, Rm = ’^q and 

Sample^ : Z^ ^ G is defined^ as Sample''^(a:) = g^ mod p. Moreover fm is defined 
as (for any X G G\{1}): fm{X) = X°- mod p. 

Clearly, to efficiently evaluate fm on a random point X, one should know 
either the trapdoor information a or any x such that Sample''^(a;) = X (assuming, 
of course, that the computational Diffie-Hellman problem is infeasible in G): 
Sample^ (a;) = . Similarly knowledge of the trapdoor is sufficient to invert fm 

on a random point Y : lnv(a, Y) = However inverting the function without 

knowing the trapdoor seems to be infeasible. Nevertheless, Ym = G is efficiently 
decidable: Check^(y) simply checks whether = 1 modp or not. 

For our functions to be isomorphisms, one just needs a to be co-prime with 
q, where q is actually the order of g. For better efficiency, the group informations 
{g,p, q) can be fixed, and considered as common trusted parameters. Therefore, 
Gen just chooses a and sets h = g'^ mod p: one just needs to check that h yf 
1 mod p and h'^ = \ mod p, no witness is required, nor additional proof: Prove’" 
does not need any witness for outputting any proof, since Gheck™ simply checks 
the above equal! ty/inequality. 



The RSA Family. Another natural example is the RSA permutation. In this 
case the machine Gen on input the security parameter k does as follows. First it 
chooses two random primes p,q of size k/2 and sets n = pq. Next, it chooses a 
public exponent e such that gcd(e, p(n)) = 1. Finally it outputs the pair (to, tm) 
where tm = (p, q) and m is an encoding of (n, e). This defines our set I. 

The function fm is instantiated as follows. Set Xm = Ym = Rm = and 
Sample® : Z* ^ Z* is the identity function, i.e. Sam pie® (a;) = x. The function 

^ Note that we allow a slight misuse of notation here. Actually the function Sample^ 
should be defined as Sample^ : I x Zq —> G. However we prefer to adopt a simpler 
(and somehow incorrect) notation for visual comfort. 
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fm is defined as (for any x G Z*): fm{x) = mod n. Hence, Sample^ (a;) = 
x^ mod n. The Inv algorithm is straightforward, granted the trapdoor. And the 
Check^ algorithm simply has to check whether the element is prime to n. 

As already noticed, since Sample"^ is easy to invert, the RSA family is not 
only a trapdoor hard-to-invert isomorphism family, but also a trapdoor one-way 
permutation family. However, to actually be an isomorphism, (n, e) does not 
really need to lie in I, which would be very costly to prove (while still possible). 
It just needs to satisfy gcd{e, (p{n)) = 1, which defines our set J. An efficient 
proof of validity is provided in the full version [8], where both Prove™ and Check™ 
are formally defined. 

The Squaring Family. As a final example, we suggest the squaring function 
which is defined as the RSA function with the variant that e = 2. A problem 
here arises from the fact that squaring is not a permutation over Z*, simply 
because 2 is not co-prime with (p(n). However, if one considers Blum moduli 
(i.e. composites of the form n = pq, where p = q = 3 mod 4) then it is easy to 
check that the squaring function becomes an automorphism onto the group of 
quadratic residues modulo n (in the following we refer to this group as to Qn-) 
However this is not enough for our purposes. An additional difficulty comes from 
the fact that we need an efficient way to check if a given element belongs to Ym 
(which would be Qn here): the need of an efficient algorithm Check^. The most 
natural extension of Qn is the subset of Z* , which contains all the elements 
with Jacobi symbol equal to -1-1. Note that for a Blum modulus n = pq, this 
set is isomorphic to { — 1,4-1} x Qn (this is because —1 has a Jacobi symbol 
equal to 4-1, but is not a square). By these positions we get the signed squaring^ 
isomorphism: 

fn ■ { f^Tl} X Qn ^ Jn 

{b , x) 1-^ b X x^ mod n. 

For this family, the machine Gen, on input the security parameter k, does as 
follows. First it chooses two random Blum primes p,q of size k/2 and sets n = 
pq. Then it outputs the pair {m,tm) where tm = ip,l) and m is an encoding 
of n. This thus defines our set I. The function fm is instantiated as follows. 
Set Xni — Bra — { f^Tl} X Qm Ym — Jn and Sample : } 1,4-1} x Qn ^ 
{-1,4-1} X Qn is the identity function, i.e. Sample^(5, x) = {b,x). The function 
fm is defined as (for any {b,x) G {-1,4-1} x Q„): fm{b,x) = b x x^ mod n. 
Hence, Sample*^(6, x) = fm{b,x). The Inv algorithm is straightforward, granted 
the trapdoor. And the Check^ algorithm simply computes the Jacobi symbol. 

As above, since Sample"^ is easy to invert, the squaring family is not only a 
trapdoor hard-to-invert isomorphism family, but also a trapdoor one-way per- 
mutation family. However, to actually be an isomorphism, n does not really need 
to be a Blum modulus, which would be very costly to prove. What we need is 
just that —1 has Jacobi symbol 4-1 and any square in Z* admits exactly 4 roots. 
A validity proof is provided, with the mathematical justification, in the section 6, 
which thus formally defines both Prove™ and Check™. 

By signed, we mean that the output of the function has a sign (plus or minus). 



2 
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3 The Formal Model 

3.1 Security Model 

Players. We denote by A and B two parties that can participate in the key 
exchange protocol P. Each of them may have several instances called oracles 
involved in distinct, possibly concurrent, executions of P. We denote A (resp. 
B) instances by A* (resp. B^), or by U when we consider any user instance. The 
two parties share a low-entropy secret pw which is drawn from a small dictionary 
Password, according to a distribution T>. In the following, we use the notation 
T>{n) for the probability to be in the most probable set of n passwords: 

T>{n) = max < Pr [pw G P \ Card(P) < n] > . 

PC Password 1 H_ 

— [^pw-^u J 

If we denote hyUN the uniform distribution among N passwords, U^in) = n/N. 



Queries. We use the security model introduced by Bellare et al. [1], to which 
paper we refer for more details. In this model, the adversary A has the entire 
control of the network, which is formalized by allowing A to ask the following 
queries: 

— Execute(A*, i?^): This query models passive attacks, where the adversary 
gets access to honest executions of P between the instances A* and B^ by 
eavesdropping. 

— Reveal([7): This query models the misuse of the session key by any instance 
U (use of a weak encryption scheme, leakage after use, etc). The query is 
only available to A if the attacked instance actually “holds” a session key 
and it releases the latter to A. 

— Send({7, m): This query models A sending a message to instance U. The 
adversary A gets back the response U generates in processing the message 
m according to the protocol P. A query Send(A*, Start) initializes the key 
exchange algorithm, and thus the adversary receives the flow A should send 
out to B. 

In the active scenario, the Execute-query may seem rather useless: after all the 
Send-query already gives the adversary the ability to carry out honest executions 
of P among parties. However, even in the active scenario. Execute-queries are 
essential to properly deal with dictionary attacks. Actually the number of 
Send-queries directly asked by the adversary does not take into account the 
number of Execute-queries. Therefore, Qs represents the number of flows the 
adversary may have built by itself, and thus the number of passwords it may 
have tried. Even better, pa + qt is an upper-bound on the number of passwords 
it may have tried, where qa (and qb resp.) is the number of A (B resp.) instances 
involved in the attack. For the sake of simplicity, we restricted queries to A and 
B only. One can indeed easily extend the model, and the proof, to the more 
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general case, keeping in mind that we are interested in the security of executions 
involving at least A or B, with the password pw shared by them. Additional 
queries would indeed use distinct passwords, which could be assumed public in 
the security analysis (known to our simulator). 

3.2 Security Notions 

Two main security notions have been defined for key exchange protocols. The 
first one is the semantic security of the key, which means that the exchanged key 
is unknown to anybody else than the players. The second one is unilateral or 
mutual authentication, which means that either one, or both, of the participants 
actually know the key. 

AKE Security. The semantic security of the session key is modeled by an 
additional query Test(C/). The Test-query can be asked at most once by the 
adversary A and is only available to A if the attacked instance U is Fresh. The 
freshness notion captures the intuitive fact that a session key is not “obviously” 
known to the adversary. An instance is said to be Fresh if the instance has 
accepted (i.e. the flag accept is set to true) and neither it nor its partner (i.e. the 
other instance with same session tag — or SID — which is defined as the view 
the player has of the protocol — the flows — before it accepts) have been asked 
for a Reveal-query. The Test-query is answered as follows: one flips a (private) 
coin b and forwards sk (the value Reveal(C/) would output) if 6 = 1, or a random 
value if 6 = 0. 

We denote the AKE advantage as the probability that A correctly guesses 
the value of b. More precisely we define Advp®(A) = 2Pr[6 = b'] — 1, where the 
probability space is over the password, all the random coins of the adversary 
and all the oracles, and b is the output guess of A for the bit b involved in the 
Test-query. The protocol P is said to be (t, £)-AKE-secure if A’s advantage is 
smaller than e for any adversary A running with time t. 

Entity Authentication. Another goal of the adversary is to impersonate a 
party. We may consider unilateral authentication of either A (A-Auth) or B {B- 
Auth), thus we denote by SucCp~^^*^(A) (resp. SucCp~^^*^(A)) the probability 
that A successfully impersonates an A instance (resp. a B instance) in an exe- 
cution of P, which means that B (resp. A) terminates (i.e. the terminate flag is 
set to true) even though it does not actually share the key with any accepting 
partner A (resp. B). 

A protocol P is said to be (t, e)-Auth-secure if A’s success for breaking 
either A-Auth or S-Auth is smaller than e for any adversary A running with 
time t. This protocol then provides mutual authentication. 

4 Algorithmic Assumptions 

In this section we state some algorithmic assumptions we need in order to con- 
struct an IPAKE protocol. As already sketched in section 1.2, our basic building 
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block is a family of trapdoor hard-to-invert bijections T. More precisely each 
bijection f G T needs to be a group isomorphism from a group (Xf, 0/ ) into a 
group (1/, 0/), where 0/ (resp. 0/ ) is the inverse operation of 0/ (resp. 0/)^. 
As additional assumption we require the existence of a generalized full-domain 
hash function Q, which on a new input (f,q), outputs a uniformly distributed 
element in Yf. This is the reason why we need the decidability of Yf. in practice, 
Q will be implemented by iterating a hash function until the output is in Yf. 

The non-invertibility of the functions in the family IF is measured by the 
“ability” , for any adversary A, in inverting a random function (in IF) on a random 
point, uniformly drawn from Yf. 

Succ^'(M) = Pr[/ ^ X,x ^ Xf : A{f,f{x)) = x]. 

More precisely, we denote by Succ^'(t) the maximal success probability for all 
the adversaries running within time t. A simpler task for the adversary may be 
to output a list of n elements which contains the solutions: 

SucclnSet^'(A) = Pr[/ ^ T,x^ Xf,S ^ A{f, f{x)) : x G S]. 

As above, we denote by SucclnSet^'(n, t) the maximal success probability for all 
the adversaries running within time t, which output sets of size n. 

4.1 The RSA Family: :F = RSA 

As described in section 2.4 the function / is defined by n and e, Yf = Xf =Z*. 
And, for any x G Z*, f{x) = a;® mod n. For a correctly generated n and a valid 
e (i.e an e such that gcd(<p(n),e) = 1) the non-invertibility of the function is 
equivalent to the, widely conjectured, one-wayness of RSA. This leads to the 
following 



SuccR5/^(t0nrexp) = SuccRSA(^+’^2^exp) > SucclnSetRSA(^j = SucclnSetR5/^(n, t) 
where Texp is an upper-bound on the time required to perform an exponentiation. 



4.2 The DifRe-Hellman Family: T — DH 

Let G = (g) be any cyclic group of (preferably) prime order q. As sketched in 
section 2.4, the function / is defined by a point P = in G\{1} (and thus 
a; yf 0 mod g), and Xf = Yf = G. For any Q = G G, f{Q) = 9^^- 

A (t,e)-CDHg^G attacker, in the finite cyclic group G of prime order q, gen- 
erated by g, is a probabilistic machine A running in time t such that 

Succl%{^) = Pr[A{g-,gy)=g^y]>e 

® For visual comfort in the following we adopt the symbols f,Xf,Yf rather than 
(respectively) fm 
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Alice 




Boh 


Common password pw 




accept ^ false 




accept +— false 
terminate ^ false 


(/,t)^Gen(U) - 


Alice, / 
Bob, seed 


seed {0, 1}*^ 




P 


Check*")/, seed,p)? 

R 

r^Rf 

X V- Sample^)/, r) 
y ^ Samples')/, r) 


jj *■ niuvc \ j ^ L ^ occu 1 




pw^g(f,pw) 




PW^g(/, pw) 


V' 0f PW, x' ^ lnv(/, t, y') - 


y 

Auth 


V PW 

Auth valid? => accept «— true 


accept ^ true 




terminate ^ true 



Fig. 1. An execution of the IPAKE protocol: Auth is computed by Alice (Bob resp.) 
as 7-ti(Alice||Bob||/|j(/||pui||a;) (7ti(Alice||Bob||/|jy||ptt)||x') resp.), and skis computed by 
Alice (Bob resp.) as 7to(Alice||Bob||/||i)||pui||x) (7to(Alice||Bob||/||i)||pui||x') resp.) 



where the probability is taken over the random values x and y in Z^. As usual, 
we denote by SucCg''g(t) the maximal success probability over every adversary 
running within time t. Then, when g and G are fixed, SuccQH(t) = SucCg'^G(t). 
Using Shoup’s result [25] about “self-correcting Diffie-Hellman” , one can see that 
if SucclnSetQH(n, t) > £, then SuccQH(t') > 1/2 for some t' < 6/e x (T -b nTexp). 

4.3 The Squaring Family: :F = Rabin 

As discussed in section 2.4 if one assumes that the modulus n is the product 
of two Blum primes, the signed squaring function / becomes an isomorphism 
from {— 1, -bl} X Qn onto Furthermore, for a correctly generated n the non- 
invertibility of / is trivially equivalent to the one-wayness of factoring Blum 
composites. This leads us to the following inequality 

Succ^™bi„(t-b nTexp) = Succ^^bi„(t-b nTexp) > SucclnSet^™bi„(n, t), 

which provides a very tight bound because, in this case, Tgxp represents the time 
required to perform a single modular multiplication (i.e. to square). 

5 Security Proof for the IPAKE Protocol 

5.1 Description and Notations 

In this section we show that the IPAKE protocol distributes session keys that 
are semantically secure and provides unilateral authentication for the client A. 
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The specification of the protocol can be found on Figure 1. Some remarks, about 
notation, are in order 

— We assume to be a correct family, with a verifiable sub- family of trapdoor 
hard-to-invert isomorphisms / from Xf into Yf. In the following, we identify 
m to fm, and thus /. We denote by s the size of I. Furthermore, we denote 
by <7 a lower bound on the size of any Yf. 

— For this choice of parameters for the family T , we can define the function 
Q which is assumed to behave like a generalized full-domain random oracle. 
In particular we model Q as follows: on input a couple (/, g) it outputs a 
random element, uniformly distributed in F/. 

Since we only consider unilateral authentication (of A to B), we just introduce 
a terminate flag for B. 



5.2 Security Proof 

Theorem 1 (AKE/UA Security). Let us consider the protocol IPAKE, over 
a family B of trapdoor hard-to-invert isomorphisms, with parameter (s,q), where 
Password is a dictionary equipped with the distribution T>. For any adversary A 
within a time hound t, with less than qs active interactions with the parties ( Send- 
queries) and qp passive eavesdroppings (Execute- queries), and asking qg and qu 
hash queries to Q and any Hi respectively: Advfp^ 3 i^g(A) < 4e and Adv(^J|^g“ 
e, with e upper-bounded by 

+ 9b) + 6(7aSuCclnSetjp t -p + 9bSuCC ® 2^ "2s”’ 

where qa and qi, denote the number of A and B instances involved during the 
attack (each upper-hounded by qp -P qs), Q < qg -\- qh + ‘^qp + qs and Qp denotes 
the number of involved instances (Qp < 2qp -P qs), and Tiaw is the time needed 
for evaluating one law operation. Let us remind that l\ is the output length of 
Hi (the authenticator.) 

For lack of space, we refer to the full version [8] for the full proof, here we justify 
the main terms in the security result. 

Ideally, when one considers a password-based authenticated key exchange, 
one would like to prove that the two above success/advantage are upper-bounded 
by T>{qa + qs), plus some negligible terms. For technical reasons in the proof (to 
get a clear proof) we have a small additional constant factor. This main term is 
indeed the basic attack one cannot avoid: the adversary guesses a password and 
makes an on-line trial. Other ways for it to break the protocol are: 

— use a function / that is not a permutation, and in particular not a surjection. 
With the view of y, the adversary tries all the passwords, and only a strict 
fraction leads to y in the image of /: this is a partition attack. But for that, 
it has to forge a proof of validity for /. Hence the term qt x Succ^°'^®®(t); 
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— use the authenticator Auth to check the correct password. But this requires 
the ability to compute /^^(PW). Hence the term qa x SucclnSet^'(-, •). 

— send a correct authenticator Auth, but being lucky. Hence the term . 

Additional negligible terms come from very unlikely collisions. All the remaining 
kinds of attacks need some information about the password. 

6 A Concrete Example: The SQRT-IPAKE Protocol 

An important contribution of this work (at least from a practical point of view) 
is the first efficient and provably secure password-based key exchange protocol 
based on factoring. The formal protocol appears in Figure 2. Here we describe 
the details of this specific implementation. 



Alice 




Bob 




Shared password: 


pw 


accept V- false 

Pi,P2 £ BlumPrimes{k/2) 
n ^ pip2 


Alice, n 
Bob, seed 


accept <— false 
terminate «— false 

seed A {0, 1}*^ 


<— Prove"*(n, (pi, P 2 ), seed) 


P 


Check"*(n, seed,p)? 

2 A Z^, ® <— 2 ^ mod n 
b A {0, 1}, y ^ (— mod n 




PW ^ G{n, pw) 




PW ^ G{n, pw) 


y' ^ y X PW~^ mod n 


y 


y ^ y X PW mod n 


x' = SQRT(i/') mod n 


Auth 


Auth valid? => accept ^ true 


accept ^ true 




terminate v- true 



sk — 7io(Alice||Bob||n||y||pui||x) 
Auth = 7ti(Alice||Bob||n||y||pui||x) 



Fig. 2. SQRT - IPAKE protocol 



6.1 Description of the SQRT-IPAKE Protocol 

In order for the protocol to be correct we need to make sure that the adopted 
function is actually an isomorphism. As seen in section 2.4 this is the case if 
one assumes that the modulus n is the product of two Blum primes, and /„ : 
X Qn Jn is the signed squaring function. 
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We thus set Xf = { — 1, -Pl} x Qn and Yf = Jn, and, of course, the internal 
law is the multiplication in the group Z*. In order for the password PW to be 
generated correctly, we need a G{n, •) hash function onto Jn- Constructing such 
a function is pretty easy: we start from a hash function onto {0, 1}^, and we 
iterate it until we get an output in </„. The details of this technique are deferred 
to the full version of this paper [8]. Here we stress that if n > 646 then very 
few iterations are sufficient. As already noticed, we require Alice to prove the 
following about the modulus n, so that the function is actually an isomorphism: 

— The modulus n is in the correct range (n > 646); 

— The Jacobi symbol of — 1 is -Pl in Z* (this is to make sure that /„ is actually 
a morphism); 

— The signed squaring function is actually an isomorphism from { — 1, -Pl} x Qn 
onto Jn (this is to make sure that any square in Z* has exactly 4 roots). 

Proving the first two statements is trivial. For the third one we need some new 
machinery. 

6.2 Proof of Correct Modulus 

With the following theorem (whose proof can be found in the full version of this 
paper [8]) we show that if n is a composite modulus (with at least two different 
prime factors) then the proposed function is an isomorphism. 

Theorem 2. Let n he a composite modulus containing at least two different 
prime factors and such that —1 has Jacohi symbol -Pl in Z* . Moreover let fn be 
the morphism defined above. The following facts are true 

1- If fn is surjective then it is an isomorphism. 

2. If fn is not surjective, then at most half of the elements in Jn have a pre- 
image. 

The theorem above leads to the protocol Prove-Surjective (see Figure 3). The 
basic idea of this protocol is that we prove that our function is a bijection by 
proving it is surjective. Soundness follows from the second statement. However, 
in order to fall into the hypotheses of the theorem, we need to make sure n 
is actually a composite modulus of the required form (i.e. with at least two 
distinct prime factors). We achieve this with the Prove-Composite protocol 
(see Figure 3). The correctness (completeness, soundness and zero-knowledge 
properties) of these protocols is deferred to the full version of this paper [8] . 

Remark 3. We point out that our protocol is very efficient, for the verifier, in 
terms of modular multiplications. It is also possible for Alice to use the same 
modulus for different sessions. 
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Protocol Prove-Composite | Protocol Prove-Surjective 

7^2 (n, •, •) and Ti. 4 (n, •, •) are full-domain hash functions onto J„ 

7/3 ( 7/5 resp.) is a random oracle onto {0, 1}*^ ({0, 1}^ resp.) 

Bob chooses a random seed seed and sends it to Alice 


For i ^ 1 to i 

1. Sets yi = H 2 {n, seed, i) £ J„ 

2. Computes (A, Oi.o, Oi.i, Oi. 2 , Oi.s) 
such that 

— Qi,o = — Oi,! mod n 
— Oi ,2 = — Oi ,3 mod n 
- alj = yiPi mod n (j = 0, . . . , 3), 
where Pi £ { — 1, -1-1} 

3. Sets hij = Hsin, aij) {j = 0, . . . , 3) 

One defines ci . . . , = 'Hs{n, seed, {hij}) 


1, Alice 

1. Sets Zi = Hi{n, seed, i) £ 

2. Computes (&i,a;i) = such 
that (bi,Xi) £ { — 1,4-1} X Q„ 

3. Computes a value 7 i such that 
7 ^ = Xi mod n (this is to make 
sure that Xi is actually in Qn)', 


Alice answers with, fi 
{Pi, ai,2ci , Oti^2ci + l) 


or i = 1, . . . 

(7i, bi) 


Bob checks that, for e: 

1. the hij, for j = 0, . . . , 3, are all distinct 

2. C(i, 2 ci = — Qi, 2 ci+i mod n 

3. hi^2ci — 7/3 (r?., Oi,2cj ) 

and hi^ 2 ci+i = Hs{n, ai, 2 ci+i) 

4. 7 / 2 (n, seed, i) = PiOi^ 2 ci mod n 


ach i — 

bi'yf = 7 / 4 (n, seed, i) mod n 



Fig. 3. Proof of Correct Modulus 
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Abstract. We study the suitability of common pseudorandomness 
modes associated with cryptographic hash functions and block ciphers 
(CBC-MAC, Cascade and HMAC) for the task of “randomness extrac- 
tion”, namely, the derivation of keying material from semi-secret and/or 
semi-random sources. Important applications for such extractors include 
the derivation of strong cryptographic keys from non-uniform sources of 
randomness (for example, to extract a seed for a pseudorandom genera- 
tor from a weak source of physical or digital noise), and the derivation 
of pseudorandom keys from a Difiie-Hellman value. 

Extractors are closely related in their applications to pseudorandom 
functions and thus it is attractive to (re)use the common pseudoran- 
dom modes as randomness extractors. Yet, the crucial difference between 
pseudorandom generation and randomness extraction is that the former 
uses random secret keys while the latter uses random but known keys. We 
show that under a variety of assumptions on the underlying primitives 
(block ciphers and compression functions), ranging from ideal random- 
ness assumptions to realistic universal-hashing properties, these modes 
induce good extractors. Hence, these schemes represent a more practical 
alternative to combinatorial extractors (that are seldom used in prac- 
tice), and a better-analyzed alternative to the common practice of using 
SHA-1 or MD5 (as a single un-keyed function) for randomness extraction. 
In particular, our results serve to validate the method of key extraction 
and key derivation from Diffie-Hellman values used in the IKE (IPsec’s 
Key Exchange) protocol. 



1 Introduction 

1.1 Key Derivation and Randomness Extractors 

Key derivation is a central functionality in cryptography concerned with the 
process of deriving secret and random cryptographic keys from some source of 

* Extended abstract. Full version available at eprint . iacr . org/2004/ 

Franklin (Ed.): CRYPTO 2004, LNCS 3152, pp. 494-510, 2004. 
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semi-secret randomness. In general, it is sufficient to derive a single random and 
secret key (say of length 128) which can then be used to key a pseudorandom 
function (or a pseudorandom generator) to obtain further pseudorandom keys 
as needed. Thus, a basic question, which motivates the work presented here, 
is how to derive such a random and secret key when all that is given is an 
imperfect source of randomness which contains some good amount of secret 
(computational) entropy, but this entropy is not presented in a direct form of 
uniformly (or pseudorandomly) distributed secret bits. This problem arises in 
a variety of scenarios such as when deriving keys from a non-uniform source of 
noise (as used, for example, by physical random generators) or from semi-random 
data (say, coming from user’s input or the sampling of computer events, etc.). 
This is also the case when deriving keys from a Difhe-Hellman (DH) exchange. 
Let us elaborate on the latter case. 

Let’s assume that two parties run a DH protocol in order to agree on a shared 
secret key, namely, they exchange DH exponentials and and compute the 
DH value g^"^. In this case, g^ and g"^ as seen by the attacker fully determine 
g^y . Yet, it is assumed (by the Decisional Difhe-Hellman, DDH, assumption) 
that a computationally-bounded attacker cannot distinguish g^^ from a random 
element in the group generated by g. Thus, one can assume that g^^ contains 
t = log 2 {order{g)) bits of computational entropy relative to the view of the 
attacker (for a formal treatment of computational entropy in the DH context 
see [GKR04]). However, this entropy is spread over the whole value g^^ which 
may be significantly longer than . Thus, we are in a situation similar to that of 
an imperfect source of randomness as discussed above. In particular, g^^ cannot 
be used directly as a cryptographic key, but rather as a source from which to 
extract a shorter string (say, of length 128) of full computational entropy which 
can then be used as a cryptographic key. 

The tools used to derive a uniform key from these sources of imperfect ran- 
domness are often referred to as randomness extractors. The amount of theo- 
retical results in this area is impressive; moreover, some of the constructions 
that have proven extraction guarantees are also efficient (see [Sha02] for a recent 
survey) . One such example is the so called “pairwise independent universal hash 
functions” (also called ’’strongly universal”) [CW79] which have quite efficient 
implementations and provable extraction properties. In particular, [HILL99] 
shows (see also [Lub96,Gol01]) that if an input distribution has sufficient min- 
entropy (meaning that no single value is assigned a too-large probability even 
though the distribution may be far from uniform) then hashing this input into a 
(sufficiently) shorter output using a function chosen at random from a family of 
strongly universal hash functions results in an output that is statistically-close 
to uniform. (This result is often referred to as the “Leftover Hash Lemma”.) 

^ For example, consider that g is an element of prime order q in Z* (i.e., p and 
q are primes and q/p — 1), and that |p| = 1024 and |g| = 512. In this case the 
DDH assumption guarantees that the value hides (from the attacker) 512 bits of 
computational entropy, yet these bits are spread in some unknown way among the 
1024 bits of g^y. 




496 Yevgeniy Dodis et al. 



Yet, in spite of these results and an extensive literature studying their ap- 
plication to real cryptographic problems (such as those mentioned earlier, and 
in particular for the DH case [GKR04]) one seldom encounters in practice the 
use of strong universal hashing or other proven extractors. Instead, the common 
practice is to use cryptographic hash functions (such as MD5 and SHA-1) for 
the purpose of randomness extraction. A main reason for this practice, justified 
by engineering considerations, is that cryptographic hash functions are readily 
available in software and hardware implementations, and are required by most 
cryptographic applications for purposes other than randomness extraction (e.g., 
as pseudorandom functions). Therefore, it is attractive and convenient to use 
them for key extraction as well. Also, the common perception that these hash 
functions behave as random functions (formalized via the notion of “random 
oracles”) make them intuitively appealing for the extraction applications. 



1.2 Randomness Extraction via Common Chaining Modes 

In this paper we attempt to bridge between the world of provable extraction 
and the common practice of relying on idealized hash functions. The question 
that we ask is what is the best way to use cryptographic hash functions, or 
other widely available cryptographic tools such as block ciphers, for the task of 
randomness extraction. Specifically, we consider three common modes of oper- 
ation: CBC chaining, cascade (or Merkle-Damgard) chaining, and HMAC, and 
analyze the appropriateness of these modes as extraction tools. Since the goal is 
to provide as general (and generic) as possible results, we do not investigate the 
extraction properties of specific functions (say SHA-1 or AES) but rather ab- 
stract the basic primitives (the compression functions in the case of the cascade 
and HMAC modes, and block ciphers in the case of CBC), as random functions 
or permutations^. 

Before going on with the description of our results, it is worth considering 
the following issue. Given that the common practice is to extract randomness 
using a hash function modeled as a random oracle, then how much do we gain 
by analyzing the above modes under the weaker, but still idealized, randomness 
assumption on the underlying basic primitives. There are several aspects to this 
question. 

The first thing to note is that modeling the compression function of S HA- 
1, for example, as a random function, or as a family of random functions, is a 
strict relaxation to modeling SHA-1 (as a single un-keyed function) as a ran- 
dom function. This is easily seen from the fact that even if one starts with a 
random function as the compression function the result of the cascade chain- 
ing (which is how SHA-1 is derived) is not a random function. (For example, 
in the cascade construction, the probability that two L-block inputs that differ 
only in their first block are mapped to the same fc-bit output is L/2^ , while for 

^ In the case of HMAC we obtain results based on non-ideal assumptions on the 
underlying basic primitives (see Section 1.3). 
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a random function this probability is 1/2^). Another important point is that 
cryptographic design work focuses on building the basic blocks, i.e. a compres- 
sion function or a block cipher. Thus, making an assumption on these primitives 
will represent the design goals which there can be an attempt to satisfy. Also 
analysis of the type presented here, rather than implying the security of any spe- 
cific implementation of these functions, serves to validate the suitability of the 
corresponding chaining modes for some defined goal (in our case the goal is ran- 
domness extraction). Indeed, the common approach for analyzing such modes 
(e.g., [Dam89,BKR94,BCK96a,BCK96b]) is to make some assumption on the 
basic primitive (for example, assuming the underlying compression function to 
be a pseudorandom function, or a secure MAC, or a collision-resistant hash func- 
tion) and then proving that these or other properties are preserved or implied 
by the chaining operation. 

In addition, the “monolithic” randomness assumption on a single (unkeyed) 
function such as SHA-1 is inappropriate for the setting of randomness extraction 
as no single function (even if fully random) can extract a close-to-uniform distri- 
bution from arbitrary high-entropy input distributions. This is so, since once the 
function is fixed (even if to purely random values) then there are high-entropy 
input distributions that will be mapped to small subsets of outputs^. Therefore, 
the viable approach for randomness extraction is to consider a family (or col- 
lection) of functions indexed by a set of keys. When an application requires the 
hashing of an input for the purpose of extracting randomness, then a random 
element (i.e., a function) from this family is chosen and the function is applied 
to the given input. While there may be specific input distributions that interact 
badly with specific functions in the family, a good randomness-extraction family 
will make this “bad event” happen with very small probability. Universal hash 
families, mentioned before, are examples of this approach. An important point 
here is that, while the choice of a function from the family is done by selecting 
a random index, or key, this key does not need to be kept secret (this is im- 
portant in applications that use extraction to generate secret keys; otherwise, 
if we required this index to be secret then we would have a “chicken and egg” 
problem) . 

In our setting, families of keyed functions come up naturally with block ci- 
phers and compression functions (for the latter we consider, as in HMAC, the 
variable IV as the key to the function). These functions are defined on fixed 
length inputs (e.g., 512 bits in the case of compression function of SHA-1, or 
128 in the case of AES). Then, to hash arbitrarily long inputs, we extend these 
families by the appropriate chaining mode: cascade chaining (or HMAC) for com- 
pression functions, and CBC-MAC in the case of block ciphers. What makes the 
analysis of these functions challenging (in the setting of randomness extraction) 
is that, as discussed before, the key to the function is random but known. For ex- 

® For example, let E be a random function from £ to k bits and let S denote the subset 
of {0, 1}^ that is mapped by F to outputs with a low-order bit of zero. If we consider 
the uniform distribution on S as the input distribution, then this distribution has 
almost full entropy, yet the output of E on S is trivially distinguishable from uniform. 
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ample, the fact that the above functions are widely believed to be pseudorandom 
does not help much here since, once the key is revealed, the pseudorandom prop- 
erties may be lost completely (see full paper). Yet, as we will see in Section 4.2, 
we do use the pseudorandom property in some of our analysis. Also worth not- 
ing is that using families that are pseudorandom for extraction is particularly 
convenient since these same functions can then be used by the same application 
(for example, a key-exchange protocol, a random generator, etc.) for further key 
derivation (using the extracted key to key the pseudorandom function) . 

The last question is how to generate the random known keys used by the 
extractor. Technically this is not hard, as the parties can generate the appropri- 
ate randomness, but the exact details depend on the application. For example, 
in the DH key exchange discussed earlier, the parties exchange in the clear ran- 
domly chosen values, which are then combined to generate a single key k for the 
extractor family {H^,} (e.g. HMAC-SHAl). The shared key is set to Hi^(g^y). 
We note that this is substantially the procedure in place in the IKE protocol 
[RFC2409,IKEv2] (see also [Kra03]), and this paper presents the first formal 
analysis of this design. 

A similar DH key extraction step is required in non-interactive scenarios, 
such as ElGamal or Cramer-Shoup encryption. There the extractor key k can 
be chosen either by the encryptor and appended to the ciphertext, or chosen by 
the decryptor and included in the public key (this choice is mandatory in case 
we want CCA-security, as we don’t want to leave the choice of k in the hands 
of the adversary). For a different example, consider a cryptographic hardware 
device, containing a physical random generator that samples some imperfect 
source of noise. In this case the application can choose a random hash function 
in the family and wire-in its key into the randomness generation circuit [BST03]. 
Notice that by using our results, it will be possible to perform the extraction 
step using circuitry (such as a block-cipher or a cryptographic hash function) 
which is very likely to already be part of the device. 



1.3 Our Results 

The Extraction Properties of CBC-MAC Mode. We show, in Section 3, that if 
/ is a random permutation over {0,1}^ and X is an input distribution with 
min-entropy of at least 2k, then the statistical distance between F{X) (where F 
represents the function / computed in CBC-MAC mode over L blocks) and the 
uniform distribution on {0, 1}^ is L ■ 2“^/^. As an example, in the application 
(discussed before) in which we use the CBC-MAC function F to hash a Diffie- 
Hellman value computed over a DDH group of order larger than 2^^, we get that 
the output distribution F{g^y) is computationally indistinguishable from a dis- 
tribution whose distance from uniform is at most hence proving (under 

DDH) that the fc-bit output from F{g^y) is computationally indistinguishable 
from uniform (and thus suitable for use as a cryptographic key). Note that if 
one works over Z* for 1024-bit p and k = 128, then all we need to assume is a 
min-entropy of 256 out of the 1024 bits of g^^. In the full paper we show that 
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for input distributions with particularly high entropy (in particular those that 
contain a /c-bit block of almost-full entropy) the CBC-MAC mode guarantees an 
almost-uniform output for any family of permutations. 

The Extraction Properties of Cascade Chaining. In Section 4 we study the cas- 
cade (or Merkle-Damgard) chaining used in common hash functions such as 
MD5 and SHA-1. We show these families to be good extractors when modeling 
the underlying compression function as a family of random functions. However, 
in this case we need a stronger assumption on the entropy of the input dis- 
tribution. Specifically, if the output of the compression function is fc-bit long 
(typically, k = 128 or 160) we assume a min-entropy of 2k over the whole input, 
and “enough” min-entropy over the distribution induced on the last block of 
input (typically of length 512 bits). For example, if the last block has k bits of 
min-entropy, and we assume L blocks, then the statistical distance between the 
output of the cascade construction and the uniform distribution (on {0,1}^) is 
at most L ■ 2“^/^. We note that the above restriction on the last-block distribu- 
tion is particularly problematic in the case of practical functions such as MD5 
and SHA since the input-padding conventions of these functions may cause a 
full fixed block to be added as the last block of input. In this case, the output 
distribution is provably far from uniform. Fortunately, we show that our anal- 
ysis is applicable also to the padded-input case. However, instead of proving a 
negligible statistical distance, what we show is that the output of the “padded 
cascade” is computationally indistinguishable from uniform, a result that suffices 
for the cryptographic applications of extraction. Finally, we prove that when ev- 
ery block of input has large-enough min-entropy (conditioned on the distribution 
of previous blocks), then the above extraction results hold under the sole {and 
non-ideal) assumption that the underlying compression function is a family of 
(5-AU functions (for sufficiently small 6). 

The Extraction Properties of HM AC. HMAC is the most widely used pseudoran- 
dom mode based on functions such as MD5 or SHA, thus proving its extraction 
properties is extremely important. Our main result concerning the good extrac- 
tion properties of HMAC is proven on the basis of a high min-entropy {2k bits) 
in the input distribution X, without relying on any particular entropy in the 
last block of input. Specifically, let F denote the keyed hash function underlying 
an instantiation of HMAC (e.g., F is SHA-1 with random IV) and let / be the 
corresponding outer compression function. Then we show that if F is collision 
resistant and / is modeled as a random function then the output of HMAC (on 
input drawn from the distribution A) is indistinguishable from uniform for any 
attacker that is restricted in the number of queries to the function /. Moreover, 
if the compression function itself is a good extractor, then HMAC is a good 
extractor too. However, in this latter case if we are interested in an output of £ 
close-to-uniform bits then the key to the underlying compression function needs 
to be sufficiently larger than i. As a concrete example, if f = 160 (e.g., we need 
to generate a pseudorandom key of length 160) then we can use HMAC with 
SHA2-512. Note that this result is particularly interesting in the sense that it 




500 Yevgeniy Dodis et al. 



uses no idealized assumptions, and yet the output of HMAC is provably close to 
uniform (even against completely unbounded attackers, including attackers that 
can break the collision resistance of F). 

Remark (Pseudorandom functions with known keys). It is tempting to use the 
pseudorandomness properties enjoyed by the modes studied here as a basis to 
claim good (computational) extraction properties. For example, in spite of the 
fact that the output of these functions may be statistically very-far from uniform, 
it is still true that no (efficient) standard statistical test will be able to tell apart 
this output from random (simply because such a test does not use the knowledge 
of the key even if this key is known.) Yet, for cryptographic applications using a 
family of functions as extractors, based solely on the assumption that the family 
is pseudorandom, may be totally insecure. We illustrate this point by showing, 
in the full paper, an example of a secure pseudorandom family whose output is 
trivially distinguishable from randomness once the key is known. 

All proofs appear in the full version of the paper. 



2 Universal Hashing and Randomness Extraction 

Preliminaries. For a probability distribution X we use the notation x€rX to 
mean that x is chosen according to the distribution X. For a set S, x€rS is used 
to mean that x is chosen from S with uniform probability. Also, for a probability 
distribution X we use the notation Vrx{x) to denote the probability assigned by 
X to the value x. (We often omit the subscript when the probability distribution 
is clear from the context.) Throughout the paper, we will use d{L) to denote the 
maximal numbers of divisors of any number smaller or equal to L. As a very 
crude upper bound, we will sometimes use the fact that d{L) < 2\/L. 

Min-Entropy and Collision probability. For a probability distribution A 
over {0, 1}^, we define its min-entropy as the minimum integer m such that for 
all X G {0, 1}^, Pvx{x) < 2“’”. We denote the min-entropy of such A by Hoo(A). 
The collision probability of A is Col(A) = Pr^, x{x = x') = E^ Pr(A = a;)^ 
and the Renyi ( or collision) entropy of A is H 2 (A) = — log 2 Col(A). It is easy to 
see that these two notions of entropy are related: Hoo(A) < H2(A) < 2Hoo(A). 
In particular, we will frequently use the fact that Col(A) = ^ 2 ”Hoo(y)^ 

Statistical Distance. Let Ai, A2 be two probability distributions over the 
set S. The statistical distance between the distributions X\ and A 2 is defined as 
SD(Ai, A 2 ) = ^ Es&s I P''Yi(s) — PrATals)!- If two distributions have statistical 
distance of (at most) e, then we refer to them as e-close. We note that e-close 
distributions cannot be distinguished with probability better than e even by a 
computationally unbounded adversary. It is also well known that if y has support 
on some set S and U is the uniform distribution over this set, then 

SD{y,u) < ^^\s\ ■ Co\{y) - 1 



( 1 ) 
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Definition 1. Let k andl he integers, and {hK^n^K he a family of hash functions 
with domain {0, 1}^, range {0, 1}^ and key space 1C. We say that the family 
Ki^tc is i5-almost universal (J-AU) if for every pair of different inputs x, y from 
{0, 1}^ it holds that Pr{hK{x) = h^iy)) < S, where the prohahility is taken over 
k&rJC. For a given prohahility distribution X on {0,1}^, we say that {/iKlfceiC 
is i5-AU w.r.t. X if Pr{hK,{x) = hniy)) < 6 where the prohahility is taken over 
kGrK- and x,y &rX conditioned to x ^ y. 

Clearly, a family is <5-AU if it is (5-AU w.r.t. all distributions on {0, 1}^. 

The notion of universal hashing originates with the seminal papers by Carter 
and Wegman [CW79,WC81]; the (5-AU variant used here was first formulated in 
[Sti94] . The main usefulness of this notion comes from the following lemma whose 
proof is immediately obtained by conditioning on whether the two independent 
samples from X collide or not (below E denotes the expected value). 

Lemma 1. If {hK,}K.ejc is S-AU w.r.t. X, then EK[Col(ft,K(df))] < Col(A) + 6. 

Now, using the above lemma and Eq. (1), the lemma below extends the 
well-known “Leftover Hash Lemma” (LHL) from [HILL99] in two ways. First, 
it relaxes the pairwise-independence condition assumed by that lemma on the 
family of hash functions, and allows for “imperfect” families in which the collision 
probability is only e-close to perfect (i.e., 2“^ -I- e instead of 2“^). Second, it 
allows for the collision probability to depend on the input distribution rather 
than being an absolute property of the family of hash functions. We use these 
straightforward extensions of the LHL in an essential way for achieving our 
results. We also note that the standard LHL can be obtained from Lemma 2 
below by setting e = 0. 

Lemma 2. Let I and k be integers, let X he a probability distribution over 
{0, ly, and let be a family of hash function with domain {0, 1}^ and 

range {0,1}^. // {/ik}k6k; is + e)- almost universal w.r.t. X, U is uniform 
over {0, 1}^ and k is uniform over 1C, then 

SD((«, hyX)), {n, U))<\- ^2fc-(Col(A)+e) < i • ^2^ • (2 ~h=o W + e) (2) 

Remark 1. It is important to note that for the above lemma to be useful one 
needs e <C 1/2^, or otherwise the derived bound on the statistical closeness ap- 
proaches 1. Moreover, this fact is not a result of a sub-optimal analysis but rather 
there are examples of families with e = 1/2^ (i.e., (2/2^)-AU families) that gen- 
erate outputs that are easily distinguishable from uniform. For example, if {h^.} 
is a family of pairwise independent hash functions with /c-bit outputs, and we de- 
fine a new family {h'y\ which is identical to {1^} except that it replaces the last 
bit of output with 0, then the new family has collision probability of 2/2^ yet its 
output (which has a fixed bit of output) is trivially distinguishable from uniform. 
The fact that we need e <C 1/2^ (say, e « 1/2^^) makes the analysis of CBC and 
the cascade construction presented in the next sections non-trivial. In particular. 
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the existing analyses of these functions (such as [BKR94,BCK96b]) are too weak 
for our purposes as they yield upper bounds on the collision probability of these 
constructions that are larger than 2/2^. 

3 The CBC-MAC Construction 

Here we study the suitability of the CBC-MAC mode as a randomness extractor. 
Recall that for a given permutation / on {0,1}^, the CBC-MAC computation 
of / on an input x = (xi, X 2 , • . . xl), with L blocks in {0, 1}^, is defined as xl 
where the latter value is set by the recursion: aio = Q, Xi = f{xi 0 Xi-i) for 
I <i < L. We denote the output of the above CBC-MAC process by F{x). 

Our main result in this section states the extraction properties of CBC-MAC 
for a random permutation f on K = 2^ elements. To state it more compactly, 
we let e{L,K) = (d(L))^LAT“^ 0 L^K~^, and notice that e{L,K) = 0{LF‘ /K"^) 
when L < (here we use the fact that d{L) < 2\/L). 

Theorem 1. Let F denote the CBC-MAC mode over a random permutation 
f on {0, 1}^, and let X he an input distribution to F defined over L-block 
strings. Then the statistical distance between F(X) and the uniform distribu- 
tion on {0, 1}^ is at most 

In particular, assuming L < 2^!^ and Hoo(T) > 2k, the above statistical distance 
is at most 0(L/2^/^). 

The proof of the theorem follows from Lemma 2 in combination with the 
following lemma that shows that CBC-MAC mode with a random permutation 
is (5-AU for sufficiently small 6. 

Lemma 3. Let F denote the CBC-MAC mode over a permutation f on {0, 1}^. 
For any x,y € {0, 1}'^^, if x ^ y then Pr[A(a;) = F{y)] < ^ + 0{e{L, K)) where 
the probability is over the choice of a random permutation f. 

4 The Cascade Construction 

We first recall the Merkle-Damgard approach to the design of cryptographic hash 
functions and introduce some notation and terminology. For given integers k and 
b, b > k > 0, let {/„ : G /C} be a family of functions such that K. = {0, 1}^, and 

for all K G K. the function maps b bits into k bits. On the basis of this family 
we build another family {F,^ : k G 1C} that works on inputs of any length which 
is a multiple of b and produces a fc-bit output. For each k G 1C, the function 
is defined as follows. Let x = {x\, . . . ,xl), for some L > 1 and Xi G {0, 1}** 
(for all i), denote the input to F^, we define L variables (each of length k) 
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X\,...,XL as xo = K,Xi+i = fxi{xi+i), and set Fk{x) = xl- For processing 
inputs of arbitrary length one needs a rule for padding inputs to a length that is 
a multiple of b. Specific functions that build on the above approach, such as MD5 
and SHA-1, define their specific padding; we expand on this issue in Section 4.2. 
For the moment we assume inputs of length Lb for some L. Some more notation: 
Sometimes we use F to denote the family and we write F{x) to denote 

the random variable Fi^{x) for kG^IC. Finally, we use K to denote 2^. 

The family {/kIksk: is called the “compression function(s)” and the family 
{F.} is referred to as the “cascade construction” (over the compression func- 
tion {Jk}k^k.)- Typical values for the parameters of the compression function are 
6 = 512 and k G {128,160}. 

4.1 The Basic Cascade Construction 

The main result of this section is the following. Assume X is an input distribu- 
tion with 2k bits of (overall) min-entropy and “enough” bits of min-entropy in 
its last (6-bit) block (“enough” will be quantified below). For the cascade con- 
structions we model the underlying family of compression functions as a family 
of random functions (with fc-bit outputs) . Then the output of F on the distribu- 
tion X is statistically close to uniform. This result is formalized in the following 
theorem. As in Section 3, we let e{L,K) = {d{L))^LK~^ + L^K~^, and notice 
that e{L,K) = when L < K^!^. 

Theorem 2. Let F = {F„| be the caseade eonstruction defined, as above, over 
a family o/ random functions {/«}. Let X be the input distribution to F defined 
over L-block strings, and Xl denote the probability distribution induced by X on 
the last block xl for x Gr X . Then, if U is the uniform distribution over {0, 1}^, 
we have 

SD(F(A), U) < ^Jk ■ 2 -Hoo(A') + L . 2-^UXr) + ( 3 ) 

In particular, if Hoo{X) > 2k, Hoo(Al) > k, and L < 2fi!'^, then SD(F(A), 
U) < 0(L/2'=/2). 

The proof of the theorem follows from Lemma 2 in combination with the 
following lemma that shows that the cascade construction with a random family 
of compression functions is 6-AU for sufficiently small 6. 

Lemma 4. Let F = {Fr\ be the cascade construction defined over a family of 
random functions {/k}- Let X be an input distribution as assumed in Theorem 2, 
where Hoc (Xl) >logL. Then, the family F is +0{e{L, K)))-AU 

w.r.t. X. 

The proof of this lemma is based on the following two propositions: the first 
analyzes the collision probability of the cascade function F over random com- 
pression functions on inputs that differ (at least) in the last block (Proposition 1); 
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then we extend the analysis to the general case, i.e. for any two different x and 
y (Proposition 2). All proofs appear in the final paper. 

Proposition 1. Let F = {F„} he the eascade construction defined over a family 
of random functions {/k}- Let x,y be two inputs to F that differ (at least) in the 
last Mock, namely, xl yr, and let k G K- be any value of the initial key. Then 
PipiF^ix) = F^iy)) < ^ + 0{e{L, K)) , where the probability is taken over the 
choice of random functions in F. 

Proposition 2. Let F be defined as above, let x,y he two different inputs to 
F, and let k be any value of the initial key. Then PrF{F{x) = F{y)) < jf + 
0{Le{L,K)), where the probability is taken over the choice of random functions 
in F. 

The Value of the Initial Key k. We note that the above analysis holds for 
any value of the initial key k, when the functions are truly random, which means 
that in principle k can be fixed to a constant. However, in practice not all the 
functions of the function family {/«,} satisfy this requirement. Thus, choosing k 
at random allows, for example, to extend our analysis to the situation where a 
negligible fraction of functions in F are not close to random functions. 

Necessity of Min-Entropy in the Last Block. We argue that assuming 
non-trivial min-entropy in the last block is required, even if the family {/«} of 
compression functions is completely random. Assume an input distribution in 
which the last block is fixed to a value B. The first L — 1 blocks induce some dis- 
tribution for the last key in the sequence. Examining the distribution on fn{B), 
induced by (any) distribution on k it is easy to see that this distribution is sta- 
tistically far from the uniform distribution. In particular, we expected with high 
probability a constant fraction of elements will not appear in the distribution. 



4.2 The Cascade Construction with Input Padding 

The conditions imposed by Theorem 2 on the input distribution X conflict with a 
technical detail of the practical implementations of the cascade paradigm (such 
as MD5 and SHA-1): rather than applying the cascade process to the input 
x Gr X, these functions modify x by concatenating enough padding bits as to 
obtain a new input x' whose length is a full multiple of the block length. In some 
cases this padding results in a full fixed block appended to x. Therefore, even 
if X has the property that the last block of input has relatively high entropy 
(as required by Theorem 2) the actual input x' to the cascade does not have 
this property any more. This fact is sufficient to make our main result from 
Section 4.1 irrelevant to these real-world functions; luckily, however, we show 
here that this serious obstacle can be lifted. 

In order to better understand this problem we first describe the actual way 
this padding is performed. We consider the concrete value 6 = 512 used as the 
block length in these functions. Let n denote the length of the input x, and let 
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n' = n mod 512. If n' < 448 then x is padded with the binary string 
followed by a 64-bit representation of n. If n' > 448 then a whole new block 
is added with a padding similar to the one described above (with the binary 
representation of n occupying the last 64 bits of the added block). From this 
description, we see that if, for example, the original input x had a length which 
was an exact multiple of 512, then x' = x \\ B where S is a whole new block 
(and II represents the concatenation operation). Moreover, the value of B is the 
same (and fixed) for all inputs of the length of x. In particular, if we consider 
the case in which we hash Diffie-Hellman values of length of 1024 or 2048 bits 
(this is the common case when working over Z* groups), then we get that the 
padded input x' will always have a fixed last block. In other words, regardless 
of the entropy existing in the original input x the actual input to the cascade 
process now has a zero-entropy last block. 

For this case, in which the last block is fixed, we show here that a somewhat 
weaker (but still very useful) result holds. Specifically, combining Theorem 2 with 
the assumption that the family of (compression) functions {/«} is pseudorandom, 
we can prove that the output from the cascade construction is pseudorandom, 
i.e., computationally indistinguishable from uniform (and thus sufficient for most 
cryptographic applications) This result holds even though the key to the cascade 
function F is revealed! We note that the assumption that the family {/«,} is 
pseudorandom is clearly implied by the modeling (from the previous subsection) 
of these functions as random. But we also note that assuming the compression 
function (family) of actual schemes such as MD5 or SHA-1 to be pseudorandom 
is a standard and widely-used cryptographic assumption (see [BCK96b] for some 
analytical results on these PRF constructions). 

Lemma 5. Let {/k}k6k: be a family of pseudorandom functions which is Cp{T)- 
indistinguishable from random for attackers restricted to time T and a sin- 
gle query. Let F = {Fk}k,^k. denote the cascade construction over the family 
{/Kl/teK- Further, let X be a probability distribution on L-block strings from 
which the inputs to F are chosen, and B be a fixed b-bit block. Lfthe output distri- 
bution F„(T), with random but known key k, is Cd- statistically close to uniform, 
then the distribution F„(T || B) (for random but known n) is (e^ -I- CplT))- 
indistinguishable from uniform by attackers that run time T . 

The above lemma together with Theorem 2 show that if {/k} is a family of 
random functions then the cascade construction with a fixed last block block 
is indistinguishable from random, provided that the original input distribution 
(before padding!) satisfies the conditions of Theorem 2. 

It is also worth noting that Lemma 5 can be generalized to input distributions 
X* that can be described as the concatenation of two probability distributions 
X and y, where X satisfies the conditions of Theorem 2, and y is an arbitrary 
(polynomial-time samplable) distribution independent from X . 

A PRACTICAL CONSIDERATION. Note that the application of Lemma 5 on an 
input distribution A still requires the last block of A (before padding) to have 
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relatively high min-entropy. To maximize this last-block min-entropy it is advis- 
able that any input x whose length is not a multiple of 6 = 512 be “shifted to 
the right” (to a block boundary) by prepending a sufficient number of bits (say, 
all zeros) to the beginning of x. This way, the resultant string x' is of length a 
multiple of b and, more importantly, its last block contains the full entropy of 
the last b bits in x. Also, this shifting forces the appended padding described 
earlier to add a full block as assumed in Lemma 5^. 



4.3 Modeling the Compression Function as a ^-AU Family 

In Section 4.1 we presented an analysis of the basic cascade construction under 
the modeling of the compression function as a family of random functions. Here 
we study the question of what can be guaranteed on the output distribution of 
the cascade under the simple assumption that the family of compression func- 
tions is a good extractor (or more generally that this family is (5-AU). Clearly 
this is a more realistic assumption on the underlying compression function. On 
the other hand, in order to prove a close-to-uniform output in this case we are 
going to require a stronger assumption on the input distribution. Specifically, we 
are going to assume that the distribution on every block of input has a high min- 
entropy (e.g., 2k bits of min-entropy out of the b bits in the block), conditioned 
on the distribution of the previous blocks. We prove below that under these 
conditions the output of the cascade function is statistically close to uniform. 

We note that the above requirement on the input distribution, while strin- 
gent, is met in some important cases, such as applications that extract keys from 
a Diffie-Hellman value computed over a high-entropy group. In particular, this 
requirement is satisfied by the DH groups in use with the IKE protocol. 

Conditional Entropy. Let X and y be two probability distributions over 
{0,1}“ and {0,1}*' respectively, liy G {0,1}*’ we denote with X\y the distribution 
A conditioned to the event that the string y is selected according to y. Then 
we can define the conditional min-entropy oi X\y (and denote it as Hoo(A|y)) 
as the minimum integer m such that for all x G {0, 1}“, Vrx\y{x) < 2“"’. 

We define the conditional min-entropy of X with respect to y as the expec- 
tation over y of Hoo(A|y): 'H.oo{X\y) = Pry(y) • 'H.oo{X\y). 

Lemma 6. Assume that the family of compression functions {/k}^^^: from b to 
k bits has the property that for any probability distribution B defined over {0, 1}** 
with min-entropy of m, the output distribution ffrB), for k€rIC and B &rB, is 
e-close to uniform (for some given e = e{b, k, m) ). Further, assume that X is an 
input distribution on L b-bit blocks with the property that for each i = 1, . . . ,L, 

^ For example, assume the inputs from the distribution X to be of length 1800 bits. 
Given such an input x we prepend to it 248 ’O’s resulting in a 4-block string x' = 
0^^® II X. Now when this input is processed by, say, SHA-1 an additional fifth block 
is added to x' . The important thing is that the last block of x' receives as much 
entropy from the last 512 bits of x as possible. 
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the distribution Xi induced by X on the i-th block has conditional min-entropy m 
with respect to the distribution induced by X on blocks 1, ... ,i — 1, and that Xi 
Then, the cascade construction over the family {/k} applied to the distribution 
X is {L ■ e)-close to uniform. 

In particular, if we assume that the family {/^} is (2“^ + 2“^^)-AU and the 
min-entropy of each input block (as defined above) is at least m = 2k, then we 
get (using Lemma 2) a statistical distance between the cascade construction on 
L blocks and the uniform distribution on {0, 1}^ of at most L2“^/^. 

Combining Lemmas 6 and 5 we get that, under the above assumption on 
the input distribution, if the family of compression functions is both (5-AU and 
pseudorandom then the output of the padded cascade (see Section 4.2) is pseu- 
dorandom (i.e. indistinguishable from uniform). 



5 HMAC Construction 

We now turn to the study of HMAC [BCK96a] as a randomness extraction 
family. HMAC (and its underlying family NMAC) is defined using the cascade 
construction over a family of compression functions {/fc}KeK: with domain {0, 1}^, 
range {0,1}^ and 1C = {0,1}^ (as usual we denote K = 2^). The family of 
functions NMAC uses two independent keys drawn from /C and is defined over 
{0,1}* as NMAC„j^„ 2 (a;) = /k2(^ki( 3^)) where both a; and the result from T’ki ( a^) 
are padded as described in Section 4.2. On the basis of NMAC one defines the 
family HMAC as HMAC„j,k 2 (a;) = NMAC^'^^k^ (a;) where k[ = fiv{Ki(Bpadi) and 
^2 = fiv{K 2 © po,d 2 ), the value iv is fixed to the IV defined by the underlying 
hash function, and pad\,pad 2 are two different fixed strings of length b. The 
analysis of HMAC is based on that of NMAC under the specialized assumption 
that the keys and K '2 are “essentially independent” . We keep this assumption 
and develop our analysis on NMAC. (The reason of this form of derivation of 
the keys k'i,K 2 in HMAC is to allow for the use, without modification, of the 
underlying hash function; in particular, without having to replace the fixed IV 
with a variable value.) 

We start by observing that if one considers the family NMACki ,«2 a S- 
AU family then we get S > 2/K. This is so since for any two inputs x,y the 
probability that NMAC sends both values to the same output is the sum of the 
probability that A„j(a:) = F^iiy) (which is at least l/K) plus the probability 
that (a;) ^ T’ki (y) but /„2 maps these two different results to the same value 
(which is also at least 1/A'). Therefore we cannot apply the results of Section 2 
directly to the analysis of NMAC. 

However, we provide three analyses, which, under different assumptions, es- 
tablish the security of NMAC as a randomness extractor. 

Dropping Some Output Bits. Specifically, we assume the “outer” function 
/„2 outputs k' = k — c bits (e.g., in case /„2 is a random function outputting 
k bits, one can simply drop the last c bits and view it as a random function 
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outputting k' bits). In this case, a straightforward application of Lemma 1 
and Lemma 2 shows that if the family is <5i-AU w.r.t. X and {Jk^} is 

(1/2^ + i 52 )-AU, then NMAC extracts k' bits of statistical distance at most 
a/2^'(CoI(A) + (5i + 62 ) from uniform. Assuming now that both families con- 
sist of random functions, then i 52 = 0 and Proposition 2 implies that <5i < 
L/K + 0{Le{L, K)). This means that if Hoo(A) > k, k' < k — log L — 2 log(l/ 7 ) 
and L < 2^/^, then NMAC extracts k' bits which are 7 -close to uniform. In 
fact, the same is true even if the outer function family {fn^} is merely a good 
extractor (e.g., if it is pairwise independent). In any case, we get that dropping 
roughly (logL -|- 160) bits from the output of the NMAC construction makes it 
a good extractor. To make this result meaningful, however, we must consider 
compression functions whose key is non-trivially larger than 160 bits, such as 
the compression function for SHA2-512. 

Computational Security. Our second approach to analyzing NMAC is sim- 
ilar to the analysis of the padded cascade from Lemma 5. We will present it in 
the full version. 

Modeling as a Random Oracle. As we remarked, even if is truly 
random, the value /„ 2 (F„j(A)) cannot be statistically close to uniform, even 
if Ff^j^(X) was perfectly uniform. This was argued under an extremely strong 
distinguisher that can evaluate / = at all of its 2^ inputs. This is different 
from the typical modeling of / as a random oracle. Namely, in the random 
oracle model it is assumed that the adversary can evaluate / at most a bounded 
number of points, < 7 ^ 2 ^. This assumption can be seen as restrictive, but in fact 
a realistic characterization of the adversary’s capabilities. Thus, we show that 
when we model the outer function of NMAC, /, as a random oracle then the 
construction is a good randomness extractor. We start by showing the general 
result about the quality of using a random oracle / as an extractor, and then 
apply it to the NMAC construction. 



5.1 Random Oracle as an Extractor 

In this section, we show that by utilizing the power of the random oracle to the 
fullest, we can provide some provable guarantees on the quality of the random 
oracle as a randomness extractor. Our precise modeling of the random oracle 
/ : {0, 1}^ ^ {0, 1}^ is the following. The adversary is allowed to adaptively 
query the random oracle / at upto q points, and possibly make the distribution X 
depend on these q queries. However, we assume that the remaining “unqueried” 
(2^ — q) values of / are chosen randomly and independently of A, and are never 
given to the adversary®. Finally, given a distribution X and a number g, we let 
Wq{X) denote the probability mass of the q heaviest elements under X. 



® We stress that this is very different from our modeling of a random function from 
before, where the adversary first chooses the distribution X, after which / is chosen 
at random (independently from X) and given to the adversary in its entirety. 
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Lemma 7. Assume f is a random oracle from b bits to k bits, and the adversary 
can evaluate f in at most q points. Then, for any distribution X on {0, 1}**, 
the maximal probability the adversary can distinguish f{X) from the uniform 
distribution over {0, 1}^ is at most 

Wq{X) < min ( (7 • ■ Col(A') ) (4) 

Remark 2. We already remarked that no single function can be a universally 
good extractor, which means that one has to use a function family instead, 
indexed by some key k. On the other hand, in the idealized random oracle 
model, we manage to use a single random oracle / in Lemma 7. This is not 
a contradiction since we critically assumed that the adversary cannot read the 
entire description of the random oracle. In essence, the choice of the random 
oracle / can be viewed as a key k, but the distinguisher cannot read the entire 
key (although it has a choice which parts of it to read) and therefore cannot 
adversarially choose a bad distribution X . Put differently, in our analysis we 
could assume that a large part of the key (i.e., /) is chosen independently of X, 
which is consistent with the conventional extractors such as those obtained by the 
LHL. However, unlike the conventional extractors, we (restrictively) assume that 
the adversary never learns the entire description of the key (i.e., the unqueried 
parts of /), which allowed us to get a much stronger bound that what we could 
get with the LHL. For example, LHL required Col(T) <C 2“^, while Lemma 7 
only requires Col(A’) ^ l/q. 

We will also use the following Corollary of Eq. (4) and Lemma 1. 

Corollary 1. If a family of functions {h^yKeK is S-almost universal w.r.t. X, 
f is a random oracle, U is the uniform distribution of {0, 1}^, and the adversary 
can make at most q queries to the random oracle, then the maximal probabil- 
ity the adversary can distinguish the pair {k, f{hk{X))) from {k,U) is at most 
^q-{Qo\{X) + 5). 

The above corollary implies that the composition of a collision-resistant hash 
function and a random oracle could be viewed as a relatively good extractor. This 
is because a (computational) collision-resistant function must be (information- 
theoretically) almost universal. More precisely, if a function family hi = {/ik} is 
collision-resistant with exact security 5 against non-uniform adversaries running 
in linear time, it must also be (5-almost universal. For uniform adversaries running 
in time T, hi must be (5-almost universal w.r.t. any X which is samplable in time 
Tj2. 

Application to NMAC. We can now apply Corollary 1 to the case of NMAC 
assuming that the outer function / = is a random oracle which can be eval- 
uated in at most q places. By Proposition 2, the family {Flti} is <5-AU when the 
function family {/ki} is chosen at random, for S < {L-\- 1)/2^ (when L < 2^/^). 
Thus, Corollary 1 implies that NMAC extracts k bits which cannot be dis- 
tinguished from random with probability more than yj q{Co\{X) -\- {L -\- 1)2“^), 
which is negligible if g ^ min[2^2l‘^),2^/(L -|- 1)]. 
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Abstract. We study the problem of broadcasting confidential informa- 
tion to a collection of n devices while providing the ability to revoke 
an arbitrary subset of those devices (and tolerating collusion among the 
revoked devices). In this paper, we restrict our attention to low- memory 
devices, that is, devices that can store at most 0(log n) keys. We consider 
solutions for both zero-state and low-state cases, where such devices are 
organized in a tree structure T. We allow the group controller to encrypt 
broadcasts to any subtree of T, even if the tree is based on an multi-way 
organizational chart or a severely unbalanced multicast tree. 



1 Introduction 

In the group broadcast problem, we have a group S of n devices and a group 
controller (GC) that periodically broadcasts messages to all the devices over 
an insecure channel [8]. Such broadcast messages are encrypted so that only 
valid devices can decrypt them. For example, the messages could be important 
instructions from headquarters being sent to PDAs carried by employees in a 
large corporation. We would like to provide for revocation, that is, for an arbi- 
trary subset R G S, we would like to prevent any device in R from decrypting 
the messages. 

We are interested in schemes that work efficiently with low-memory devices, 
that is, devices that can store at most O(logn) secret keys. Such a scenario 
models the likely situation where the devices are small and the secure firmware 
dedicated to storing keys is smaller still. We refer to this as the log-key restriction. 
We consider two variants of this model. 

— A static or zero-state version: the O(logn) keys on each device cannot be 
changed once the device is deployed. For example, memory for the devices 
could be written into secure firmware at deployment. 
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0225642, and CCR-0098068. 
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— The dynamic or low-state version: any of the O(logn) keys on each device 
can be updated in response to broadcast messages. For example, such de- 
vices might have a small tamper-resistant secure cache in which to store and 
update secret keys. 

Organizing Devices Using Trees. The schemes we consider organize the set 
of n devices in a tree structure, associating each device with a different leaf in 
the tree. In fact, we consider three possible kinds of trees that the devices can 
conceptually be organized into. 

1. A balanced d-ary tree. In this case, the devices are associated with the leaves 
of a balanced tree where each internal node has a constant d number of 
children; hence, each is at depth O(logn). This tree is usually chosen purely 
for the sake of efficiency, and, in fact, has been the only tree considered in 
previous related work we are familiar with. For example, it forms the basis of 
the Logical Key Hierarchy (LKH) scheme [26, 28], the One-way Function Tree 
(OFT) scheme [21], the Subset-Difference Revocation (SDR) scheme [16], 
and the Layered Subset Difference (LSD) scheme [10]. 

2. An organizational chart. In this case, the devices are associated with the 
leaves of a tree that represents an organizational chart, such as that of a 
corporation or university. For example, internal nodes could correspond to 
campuses, colleges, and departments. The height of this tree is assumed 
to be 0(log n) but the number of children of an internal is not assumed 
to be bounded by a constant. Thus, the straightforward conversion of this 
tree into an equivalent bounded-degree tree may cause the height to become 
U(log^ n). 

3. A multicast tree. In this case, the devices are associated with the nodes of 
a multicast tree rooted at the group controller. The logical structure of this 
tree could be determined in an ad hoc manner so that no bound is assumed 
on either the tree height or the degree of internal nodes. Thus, this tree 
may be quite imbalanced and could in fact have height that is exponentially 
greater than the number of keys each device can hold. 

In using trees, particularly in the latter two cases, we feel it is important to 
provide the capability to the group controller of encrypting a message so that it 
may be decrypted only by the devices associated with nodes in a certain subtree. 
For instance, a sporting event might be broadcast to just a single region, or a 
directive from headquarters might be intended just for a single division. We call 
such a broadcast a subtree broadcast, which can also be modeled by multiple 
GCs, each assigned to a different subtree. We continue in this case to assume 
the network transmits a message to the entire group, even the revoked devices, 
but it should only be readable by the (unrevoked) devices in the specified subtree 
when the message is sent in a subtree broadcast. The motivation for organizing 
devices into trees and allowing for subtree broadcasts is derived from the way 
many organizations are naturally structured. For example, the ICS Company 
may have several departments divided into groups, and groups may in turn have 
divisions located in different cities. 
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After a secure broadcast system is set up, we need to have the ability to 
revoke devices to avoid revealing messages beyond the current members. (We 
also consider the complexities of adding new devices, but the need for revocation 
is better motivated, since additions will typically be done in large blocks.) Thus, 
we are interested in the following complexity measures for a set of n devices. 

— Broadcast cost: the number of messages the group controller (GC) must send 
in order to reach a subtree containing r revoked devices. 

— Revocation cost: the number of messages the GC must send in order to revoke 
a device. Note that this cost is zero in the zero-state case. 

— Insertion cost: the number of messages the GC must send in order to add a 
device. Note that this cost parameter does not apply to the zero-state case. 

Related Work. Broadcast/multicast encryption was first formally studied by 
Fiat and Naor [8], for the model where all the device keys are dynamic. Their al- 
gorithms satisfy the log-key restriction, however, only if no more than a constant 
number of revoked devices collude, which is probably not a realistic assumption. 
Several subsequent approaches have therefore strengthened the collusion resis- 
tance for broadcast encryption, and have done so using approaches where the 
group is represented by a fixed-degree tree with the group controller (GC) being 
the root and devices (users) being associated with leaves [3-7,11,13-15,23,24, 
26,28]. 

Of particular note is the logical key hierarchy (LKH) scheme proposed by 
Wallner et al. [26] and by Wong and Lam [28], which achieves 0(1) broadcast 
cost and O(logn) revocation cost under the log-key restriction (for the dynamic 
case). The main idea of the LKH scheme is to associate devices with the leaves 
of a complete binary tree, assign unique secret keys to each node in this tree, 
and store at each device x the keys stored in the path from x’s leaf to the 
root. Some improvements of this scheme within the same asymptotic bounds are 
given by Canetti et al. [4,5]. Using Boolean function minimization techniques, 
Chang et al. [6] deal with cumulative multi-user revocations and reduces the 
space complexity of the GC, i.e., the number of keys stored at the GC, from 
0{n) to O(logn). Wong et al. [27] generalize the results from binary trees to 
key graphs. In addition, Sherman and McGrew [21] improve the constant factors 
of the LKH scheme using a technique they call one-way function trees (OFT), 
to reduce the size of revocation messages. Naor and Pinkas [17] and Kumar et 
al. [12] also study multi-user revocations withstanding coalitions of colluding 
users, and Pinkas [18] studies how to restore an off-line user who has missed a 
sequence of t group modifications with 0(log t) message size. Also of note is work 
of Rodeh et al. [19], who describe how to use AVL trees to keep the LKH tree 
balanced. Thus, the broadcast encryption problem is well-studied for the case 
of fully-dynamic keys and devices organized in a complete or balanced k-ary 
tree (noticing that a k-ary tree can transform to binary with constant times of 
height increasing). We are not familiar with any previous work that deals with 
unbalanced trees whose structure must be maintained for the sake of subtree 
broadcasts, however. 
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There has also been some interesting recent work on broadcast encryption 
for zero-state devices (the static case). To begin, we note that several researchers 
have observed (e.g., see [10]) that the LKH approach can be used in the zero- 
state model under the log-key restriction to achieve 0(rlog(n/r)) broadcast 
cost. (We will review the LKH approach in more detail in the next section.) 
Naor, Naor, and Lotspiech [16] introduce an alternative approach to LKH, which 
they call the subset-difference revocation (SDR) approach. They show that if 
devices are allowed to store 0(log^ n) static keys, then the group controller 
can send out secure broadcasts using 0{r) messages, i.e., the broadcast cost 
of their approach is 0{r). Halevy and Shamir [10] improve the performance of 
the SDR scheme, using an approach they call layered subset difference (LSD). 
They show how to reduce the number of keys per device to be 0(log^~*'*^ n) 
while keeping the broadcast cost 0{r). They also show how to further extend 
their approach to reduce the number of keys per device to be O(lognloglogn) 
while increasing the broadcast cost to be O(rloglogn). These latter results are 
obtained using a super-logarithmic number of device keys; hence, they violate 
the log- key restriction. 

Our Results. We provide several new techniques for broadcast encryption 
under the log-key restriction. We study both the static (zero-state) and dynamic 
(low-state) versions of this model, and present efficient broadcast encryption 
schemes for devices organized in tree structures. We study new solutions for 
balanced trees, organizational charts, and multicast trees. We show in Table 1 
the best bounds on the broadcast, insertion and revocation cost for each of the 
possible combinations of state and tree structure we consider, under the log-key 
restriction. 



Table 1. Best bounds for broadcast encryption among n devices under the log- key 
restriction, where each device can store only O(logn) keys. 







Balanced Tree 


Org. Chart 


Multicast Tree 


static 


broadcast cost 


0{r) 


0(r) 


0(r log n) 


(zero-state) 




(new) 


(new) 


(new) 


dynamic 


broadcast cost 


0(1) 


0(1) 


0(log n) 


(low state) 


revocation cost 


O(logn) 


0(log n) 


0(log n) 




insertion cost 


O(logn) 


0(log n) 


0(log n) 






LKH [19, 26, 28] 


(new) 


(new) 



So, for example, we are able to match the log-key bound of the static LKH 
scheme while also achieving the 0{r) broadcast encryption complexity of the 
SDR scheme. Indeed, our scheme for this case, which we call the stratified subset 
difference (SSD) scheme, is the first scheme we are aware of for zero-state de- 
vices that simultaneously achieves both of these bounds. Moreover, we are able 
to match the best bounds for balanced trees, even for unbalanced high-degree 
organizational charts, which would not be possible using the natural conversion 
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to a binary tree. Instead, we use biased trees [1] to do this conversion. But this 
approach is nevertheless limited, under the log-key restriction, to cases where the 
organizational chart has logarithmic height. Thus, for multicast trees, which can 
be very unbalanced (we even allow for height that is 0(n)), we must take a dif- 
ferent approach. In particular, in these cases, we extend the linking and cutting 
dynamic trees of Sleator and Tarjan [22] to the context of broadcast encryption, 
showing how to do subtree broadcasts in this novel context. This implies some 
surprisingly efficient performance bounds for broadcast encryption in multicast 
trees, for in severely unbalanced multicast trees the number of ancestors of the 
leaf associated with some device can be exponentially greater than the number 
of keys that device is allowed to store. 

2 Preliminaries 

The LKH Scheme for a Single Group. Let us briefly review the LKH 
scheme [26,28], which is well known for key management in single groups. The 
LKH scheme organizes a group of n devices as a complete binary tree with the 
GC represented by the root and each user (that is, device) by a leaf, with a key 
stored at each node. Each device, as a leaf, knows the path from the root to 
itself and all the keys on this path. The GC, as the root, knows the whole tree 
and all the keys. (See Figure 1.) 

To revoke a device x, the GC updates every key on the path from itself to 
X so that: (a) x cannot receive any updated key; and (b) any device other than 
X can receive an updated key if and only if it knows the old value of that key. 
The key updating is bottom-up, from the parent of x to the root. To distribute 
the new key at a node v, if v is the parent of x, then the GC encrypts the new 
key with the current key of the sibling of x] otherwise, GC encrypts the new 
key with the current keys of the two children of v, respectively. This procedure 
guarantees (a) and (b). The total number of messages is O(logn). Broadcasting 
to a subtree simply involves encrypting a message using the key for the root of 
that subtree; hence, the broadcast cost is 0(1). 

In the static case, no updating is allowed. So, the GC must encrypt a broad- 
cast using the root of every maximal subtree containing no revoked devices. 
Thus, in the static case, LKH has broadcast cost 0(r log(n/r)). (Recall that r is 
the number of revoked devices.) In both the static and dynamic case, however, 
the number of keys per device remains O(logn). 

Subset Difference Revocation (SDR). The subset difference revocation 
(SDR) approach of Naor, Naor, and Lotspiech [16] is also based on associat- 
ing all the devices with the leaves of a complete binary tree T. Define a subtree 
B as the union of all the paths from the root to leaves associated with revoked 
devices. Some internal nodes in B have one child and some two. Mark each in- 
ternal node V va. B with two children as a “cut vertex” and imagine that we cut 
out from T the edges from v to its two children. This would leave us with 0(r) 
rooted subtrees, each containing some number of valid devices and one revoked 
leaf (which may have previously been an internal node). Each such subtree is 
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Fig. 1. The LKH scheme for key management in single groups. 



therefore uniquely identified by its root, v, and its descendent node w that is 
revoked. The GC associates a secret key with each node v, and defines a label 
Ly{w), for each node in the subtree, T„, of T rooted at v. Lv{v) is v's secret 
key, and for any internal node u in Ty, with left child x and right child y, we 
define Ly{x) = f{Ly{u)) and Ly{y) = g{Ly{u)) , where / and g are collision- 
resistant one-way hash functions that maintain the size of input strings. (Here 
we use the abstract model of / and g\ Naor, Naor, and Lotspiech use in [16] a 
pseudo-random generator G that triples the size of input, and take the left 1/3 
and right 1/3 of the output to be the values of / and g.) Each leaf z in Ty stores 
the values of all the Ly labels of the nodes that are siblings of the path from z 
to V (that is, not on the path itself, but are siblings of a node on the path). The 
key used to encode a subtree rooted at v with a revoked node w inside is Ly (w) . 
Note that no descendent of w knows this value and no node outside of can 
compute this value, which is what makes this a secure scheme. However, this 
scheme requires each device to hold 0(log^ n) keys, which violates the log-key 
restriction. 

3 Improved Zero-State Broadcast Encryption 

To improve the storage requirements for stateless broadcast encryption, so as to 
satisfy the log-key restriction, we take a data structuring approach. We begin 
with the basic approach of the subset difference (SDR) method. Without loss of 
generality, we assume that we are given a complete binary tree T with n leaves 
such that each leaf of T is associated with a different user. For any node v in 
T, let Ty denote the subtree rooted at v. In addition, for any node v and a 
descendent w of v, we let Ty^yy denote tree Ty — Ty,, that is, all the nodes that 
are descendents of v but not w. Given a set of revoked users, we can use the 
same approach as SDR to partition T into at most 2r — 1 subtrees Ty^y,, such 
that union of all these trees represent the complete set of unrevoked users. 

A Linear- Work Solution. As a warm-up for our efficient broadcast encryption 
scheme, we first describe a scheme that uses O(logn) keys per device and 0{r) 
messages per broadcast, but requires 0{n) work per device to decrypt messages 
(we will then show how to improve the device work bound keeping the other two 
asymptotic bounds unchanged). 
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The main idea is that the GC needs a way of encoding a message so that 
every leaf node in can decrypt this message, but not other user (or group 
of users) can decrypt it. We note as an additional space saving technique, we 
can name each node in T according to a level-numbering scheme (e.g., see [9]), 
so that the full structure of any tree can be completely inferred using just 
the names of v and w. Moreover, any leaf x in Ty y, can determine its relative 
position in Ty^y, immediately from its own name, x, and the names of v and w. 

Let us focus on a specific subtree T„, for a node u in T. We define a set of 
leftist labels, Ly{x), and rightist labels, Ry{x), for each node of Ty. In particular, 
let us number the nodes in Ty two ways — first according to a left preorder num- 
bering (which visits left children before right children) and second according to 
a right preorder numbering (which visits right children before left children) [9]. 
For a non-root node b in Ty, let a; denote the predecessor of b in the left pre- 
order numbering of the nodes in Ty. We define Ly{b) to be f{Ly{ai)), where / is 
a collision-resistant one-way hash function. Likewise, we let denote the prede- 
cessor of b in the right preorder numbering of the nodes in Ty. We define Ry{b) to 
be g{Ry{ar)), where g is a (different) collision-resistant one-way hash function. 
We initialize these two hash chains by setting Ly{v) and Ry{v) to random seeds 
known only to the GC. 

For each leaf node b in Ty, let c; and Cy respectively denote the successors 
of b (if they exist) in the left and right preorder numberings of the nodes in Ty. 
The keys we store at b for Ty are Ly{ci) and Ry{cr). (Note that we specifically 
do not store Ly{t)) nor Ry{b) at b.) For the complete key distribution, we store 
these two keys for each subtree Ty containing b (there are log n such subtrees) . 
Given this key distribution, to encrypt a message for the nodes in Ty^y,, a GC 
encrypts the message twice — once using Ly{w) and once using Ry{w). 

Decryption. Let us next consider how a leaf node b in Ty^y, can decrypt a message 
sent to this subtree from the GC. Since w is not an ancestor of b, there are two 
possibilities: either w comes after b in the left preorder numbering of Ty or w 
comes after b in the right preorder numbering. Since b can determine the complete 
structure of Ty and 5’s relative position with w in this subtree from the names of 
V, b, and w, it can implicitly represent Ty^y, and know which of these two cases 
apply. So suppose the first case applies (as the second case is symmetric with the 
first). In this case, b starts with the label Ly(ci) it stores, where c/ is b’s successor 
in the left preorder numbering of Ty. It then continues a left preorder traversal of 
Ty (which it can perform implicitly if memory is tight) until it reaches w. With 
each new node b encounters in this traversal, b makes another application of the 
one-way function /, computing the Ly labels of each visited node. Thus, when b 
visits w in this traversal, it will have computed Ly{w) and can then decrypt the 
message. This computation takes at most |T„_u,| hash function computations. 

Security. Let us next consider the security of this scheme. First, observe that 
any node outside of Ty has no information that can be used to help decode a 
message for the nodes in some tree Ty^y,, since Ly{v) and Ry{v) are chosen as 
random seeds and nodes outside of Ty receive no function of Ly{v) or Ry{v). 
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So the security risk that remains is that leaf descendents of w might be able 
to decrypt a message sent to the nodes in Let denote the set of leaf 
descendents of w. For each node b in D^, with successors c/ and Cr in the two 
preorder numberings, we store Ly{ci) and Rv{cr) at b. But none of these values 
for the nodes in are useful for computing Ly{w) or Ry{w), without inverting 
a one-way function, since, in any preorder traversal, all the ancestors of a node 
are visited before the node is visited. 

Thus, we have a key distribution strategy for the zero-state case that uses 
O(logn) keys per device and 0{r) messages per broadcast, albeit with work at 
each device that could be 0(n). In the remainder of this section, we describe 
how we can reduce this work bound while keeping the other asymptotic bounds 
unchanged. 

The Stratified Subset Difference (SSD) Method. Given a constant k, we 
can decrease the work per device to be while increasing the space and 

message bounds by at most a factor of k, which should be a good trade-off in 
most applications. For example, when n is less than one trillion, is less than 
logn. The method involves a stratified version of the scheme described above, 
giving rise to a scheme we call the stratified subset difference (SSD) method. 

We begin by marking each node at a depth that is a multiple of [(logn)/fc] 
as “red;” the other nodes are colored “blue.” (See Figure 2.) Imagine further 
that we partition the tree T along the red nodes, subdividing T into maximal 
trees whose root and leaves are red and whose internal nodes are blue. Call each 
such tree a blue tree (even though its root and leaves are red). We then apply 
the method described above in each blue tree, as follows. For each leaf b in T, 
let 6i, • • • , 5fc be the red ancestors of b, in top-down order. For i = 1, - ■ ■ k, let R 
be the blue tree rooted at bi and note that 6i+i is a leaf of R. 

We store at node b labels Lft. (c;) and Rbi (c^) {i = 1, ■ ■ ■ k in T), where c/ and 
Cr are the left and right preorder successors of in R, respectively. Storing 
these labels increases the space per device by a factor of k. 



T 




Fig. 2. Illustration of the stratified subset difference (SSD) scheme. 

To encrypt a message, the GC first performs the subdivision of T into the 
subtrees as before. Then, the GC further partitions each tree Ty^y, at the 
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red levels, and encodes the broadcast message, using the previously described 
scheme, for each blue subtree rooted at a node on the path from v to w. This 
increases the broadcast size by at most a factor of k, but now the work needed 
by each device is reduced to computing the L or R labels in a blue tree, which 
has size at most Thus, the work per device is reduced to in this 

SSD scheme. 

Theorem 1. Given a balanced tree T with n devices, for zero-state broadcast 
encryption, the stratified subset difference (SSD) scheme for T uses O(logn) 
keys per device and has 0{r) broadcast cost, where r is the number of revoked 
devices in the subtree receiving the broadcast. The work per device can be made 
to be for any fixed constant k. 

Moreover, as we have noted, the security of this scheme is as strong as that 
for SDR and LKH, i.e., it is resilient to collusions of any set of revoked devices. 

4 A Biased Tree Scheme for an Organizational Chart 

We recall that in the organizational chart structure for n devices, we have a 
hierarchical partition of the devices induced by a tree T oi k = O(logn) height 
but with unbounded branches at each internal node. Namely, the leaves of T are 
associated with the devices and an internal node v oi T represents the group 
(set) of devices associated with the leaves of the subtree rooted at v. Thus, 
sibling nodes of T are associated with disjoint groups and each device belongs 
to a unique sequence of O(logn) groups whose nodes are on the path from the 
device’s leaf to the root of T. Without loss of generality, we assume that an 
internal node of T has either all internal children (subgroups) or all external 
children (devices), and its group is called an interior group or exterior group 
accordingly. We consider four types of update operations: insertion and deletion 
(revocation) of a device or of an empty group. After each modification, we want 
to maintain both forward and backward security. 

Biased Trees. Biased trees, introduced by Bent et al. [1], are trees balanced by 
the weights of leaves (typically set as access frequencies). There are two versions 
of biased trees: locally biased and globally biased. We denote by p{x), fix) and 
r(x) the parent, left child and right child of a node a: of a tree, and we use these 
denotations cumulatively. E.g., lpp{x) is the left child of the grandparent of x. 
The following definitions are taken from [1]. 

A biased search tree is a full binary search tree such that each node x has a 
weight w{x) and a rank s{x). The weight of a leaf is initially assigned, and the 
weight of an internal node is the sum of the weights of its children. The rank 
s{x) of a node a; is a positive integer such that 

1. s{x) = [logw(a;)J if a; is a leaf. 

2. s(a;) < s{p{x)) — 1 if a; is a leaf. 

3. s{x) < s(p(x)) and s(x) < s(pp(x)) — 1. 
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A locally biased search tree has the following additional property: 

Local bias. For any x with s{x) < s{p{x)) — 2, 

1. if X = lp{x), then either rp{x) or lrp{x) is a leaf with rank s(x) — 1; if 
X = rp(x), then either lp(x) or rlp{x) is a leaf with rank s(x) — 1; and 

2. if X = lp{x), p{x) = rpp{x) and s(p(x)) = s(pp(x)), then either lpp{x) 
or rlpp{x) is a leaf with rank s(x) — 1; if x = rp{x), p{x) = lpp{x) and 
s{p{x)) = s(pp(x)), then either rpp{x) or lrpp{x) is a leaf with rank 
s(x) — 1. 

A globally biased search tree has the following additional property: 

Global bias. For any x with s(x) < s(p(x)) — 2, both of the two neighboring 
leaves of x, i.e., the right-most leaf on the left and the left-most leaf on the 
right, have rank at least s(x) — 1. 

Group Hierarchies and Biased Trees. Given an organizational chart T 
that represents a group hierarchy, we have to convert T to a binary tree before 
applying any encryption scheme for key management. Without loss of generality, 
we convert T to a binary tree Bt that preserves the original group hierarchy. 
Each internal node of T, representing a group Gi, becomes a special internal 
node in Bt that still represents Gi and accommodates a GC. Additional internal 
nodes are added between Gi and its children in T (i.e., subgroups or devices) 
for the purpose of binarization. As result, node Gi plus all its children in T and 
the paths between them in Bt form a binary subtree Bi in Bt with Gi being 
the root and each of its children in T being a leaf. Note that, without special 
care, Bt is likely to have super-logarithm height and balancing such a tree using 
standard techniques would destroy the group hierarchy. 

Given a group hierarchy tree T, we assign a unit weight to each leaf and 
calculate the weights of other nodes in T accordingly, i.e., the weight of each 
internal node x is the number of devices in the subtree of T rooted at x. We 
replace each node x with a biased binary tree having the children of x as its 
leaves (using the weights of these nodes for the biasing). Thus, each subtree Bi 
representing a group Gi rooted at a node x in T can be initialized into a biased 
tree without affecting the structure of group hierarchy. Since w{Gi) for each Gi 
is an invariant, i.e., the weights of the root and leaves in every Bi are invariant, 
the initialization is well defined and can be done in each Bi independently. That 
is, combining all the biased BiS into Bt will not change the structure of the 
original hierarchy represented by T. (See Figure 3) 

Key Assignment. After initializing the biased BiS, we still assign a key to 
each node of Bt as in the LKH, and inform the keys to devices and GG’s by the 
following security properties: 

1. each device x knows all but only the keys on the path from Gq to itself. 

2. the GG of each Gi knows all but only the keys of Gds descendants in Bt 
and those on the path from Gq to Gi. 
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Fig. 3. Binary tree Bt consisting of biased trees Bq, Bi and -62- The ranks of the 
nodes in Bo and Bi are shown. 



Broadcast and Multicast. Using the above security properties and appro- 
priate signature or authentication mechanism [2,4,20,25], the GC of each Gi 
can send a message securely with one key encryption to Gi or any subgroup or 
super-group of Gi, without any ambiguity. 

Key Update and Tree Rebalance. As in the LKH scheme, keys should be 
updated after each insertion or deletion (revocation) of a device or group so 
that the security properties 1 and 2 are maintained. Moreover, we should also 
rebalance Bt to preserve the bias properties in each Bi. Assume that we can 
insert a leaf, delete a leaf, or update the weight of a leaf in Bi (by insert{x), 
delete{x) and reweight{x) , respectively) while preserving both the security and 
bias properties. Then inserting or deleting a device x £ Gk C Gk-i C • • • C Gq 
can be done in three steps: 

1. insert or delete a leaf in the exterior tree B^', 

2. update the weights w{Gk),w{Gk-i), - ■ ■ ,w{Gi) in the interior trees B^-i, 
Bk- 2 , ■ ■ ■ , Bq accordingly; and 

3. update the keys on the path from x to Gq bottom-up, as in the LKH scheme. 

To insert or delete a group G^+i C Gk C • • • C Go is a similar process except 
starting with an insertion or deletion in an interior B^. Therefore insert, delete 
and reweight in each Bi suffice all our hierarchy modifications in Bt- Such 
operations preserving the bias properties were already given and analyzed in 
[1], we now describe how to modify them to preserve the security properties, 
too. 

Recall that the biased tree operations, including insert, delete and reweight, 
recursively call an operation tilt as the only subroutine to rebalance the biased 
tree structure [1]. Operation tilt performs a single rotation associated with rank 
modification. Since a node loses descendants during a rotation if it is rotated 
down and losing descendants is the only chance of key leaks in the LKH scheme. 
To maintain the security properties 1 and 2 after any rotation in Bi, it is neces- 
sary and sufficient to update the key at the node rotated down. Observing that 
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updating a single key and distributing the result of a rotation are both easy in 
our scheme, we can replace the tilt in [1] with our secure-tilt which preserves the 
security properties 1 and 2. We give a detailed description of secure-tilt-left in 
Figure 4. Operation secure-tilt-right is analogous. Using secure-tilt as the sub- 
routine in biased tree operations, the scheme is as secure as LKH. 

Algorithm secure-tilt-left{x) 
if s{l{x)) = s(x) = s(r(x)) then 
s(x) «— s(x) -t - 1 

else if s(l{x)) < s{x) and s(r(x)) = s(x) then 
let X, l(x),r(x),lr(x), rr(x) be A, B, C, D, E. 
p{C) ^ p{A), 1{C) <— A and r{A) ^ D. {left rotation at a;} 
update key(A) 

distribute key{A) and key{C) to their descendants 
X ^ O 

end if 

return x 



Fig. 4. The algorithm for operation secure-tilt-left(x) . 



Efficiency of the Scheme. The insert, delete and reweight operations in biased 
trees are implemented as follows: join and split are the two basic biased tree 
operations. join{x, y) has global and local versions, which will merge two global 
or local biased trees with roots x and y and return the root of the resulting 
tree, and both versions work by recursively calling secure-tilt. split(T, x) will 
split T into two biased trees T\ and T 2 , each containing all the leaves of T with 
their binary search keys less than x and greater than x, respectively, split calls 
local-join as a subroutine and is applicable to both local and global biased trees. 

Other operations are based on join and split: operation insert{x) splits T by 
X and then joins Ti, x and T 2 together; operation delete{x) splits T by x and 
then joins Ti and T 2 back ignoring x; and operation reweight{x) splits T by x, 
updates the weight of x, and then joins Ti, x and T 2 back into T. 

The correctness and efficiency of our hierarchy modifications in Bt follow 
those of biased tree operations. Notice that our secure-tilt takes constant message 
size as well as the constant-time tilt in [1], all time bounds in [1] also hold as 
bounds of message size in our scheme. 

This gives us the following. 

Theorem 2. Given an organizational chart tree T with height k and n devices, 
under the log-key restriction, the dynamic biased binary tree scheme for T has 
has 0(1) broadcast cost and 0{k -\-logn) revocation and insertion cost. 

Proof We show how to access a device x G Gk C Gk-i C • • • C Go from Gq. 
The analysis of other operations is similar. Since the root of Bi is a leaf of Bi-i, 
and each biased tree Bi, i = 0, 1, • • • , fc, has the ideal access time, the time to 
access x from Go is 
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0(logn -1- k). 



□ 



Thus, we satisfy the log-key restriction for any organizational chart with 
k = O(logn) height. We also note that applying our SSD approach to a static 
application of the techniques developed in this section results in a scheme using 
O(logn) keys per device and 0{r) messages per broadcast for an organization 
chart with height O(logn). 



5 A Dynamic Tree Scheme for a Multicast Tree 

Let us next consider the multicast tree structure, which, for the sake of broadcast 
encryption, is similar to the organizational chart, except that the height of a 
multicast tree can be much larger than logarithmic (we even allow for linear 
height). For a multicast tree T with n devices and m groups, we give a scheme 
with O(logm) broadcast cost and O(logn) update cost, irrespectively of the 
depth of T. 

Dynamic Trees. Dynamic trees were first studied by Sleator and Tarjan [22] 
and used for various tree queries and network flow problems. The key idea is 
to partition a highly unbalanced tree into paths and associate a biased tree 
structure, which is in some sense balanced, to each path. Thus any node in the 
tree can be accessed and any update to the tree can be done in O(logn) time 
through the associated structure, regardless the depth of node or the height of 
tree. The dynamic tree used in our scheme is specified by taking the partition by 
weight (size) approach and not having cost on each edge. The following definition 
refers to this specification. 

A dynamic tree T is a weighted binary search tree where the weight wt{x) is 
initially assigned if x is a leaf, or wt{x) = wt{1{x)) + WT{r{x)) if x is an internal 
node. The edges of T are partitioned into solid and dashed edges so that each 
node links with its heavier child by a solid edge and with the lighter child by a 
dashed edge. Thus T is partitioned into solid paths Pj's linked by dashed edges. 
We denote by h{Pj) the deepest node in Pj and t{Pj) the upper-most one^. Then 
the edge between any t{Pj) and its parent must be dashed, and vice versa. For 
O(logn) operations, each solid path Pj is further organized as a global biased 
tree, denoted by B{Pj), so that the nodes from h{Pj) to t{Pj) become leaves 
of B{Pj) from left to right, and the weight of a leaf x in B{Pj) is assigned as 
WB{Pj){x) = wriy) where y is the dashed child of x in T. Then T consists of 
these B{Pj)’s by linking the root of each B{Pj) with the parent of t{Pj), unless 
t{Pj) is the root of T. (See Figure 5.) To show that such structure of T is well 
defined, let the root of B{Pj) be x and the parent of t{Pj) he y G Pj-i, then we 
have that WB(Pj){x) = WT{t{Pj)) = WB{Pj_^){y)- Thus, x can replace t{Pj) as a 
child of y. 

^ h{Pj) must be a leaf of T by the “partition by weight” approach. 
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Fig. 5. Partition of tree Bt and the accessing path to x. 



Group Hierarchies and Dynamic Trees. We convert a multicast tree T to a 
binary tree Bt that preserves the group hierarchy in T as same as in the biased 
tree scheme. Instead of using a biased tree, we simply use a complete binary tree 
for each Bi, then assign a unit weight wt(x) = 1 to each device and partition 
Bt into a dynamic tree as above. A key is assigned to each node of each B{Pj). 
Since the root of B{Pj) becomes child of a leaf of B{Pj-i), each device becomes a 
descendant of a unique string of biased trees of paths B{Pj), B{Pj-i), • • • , B{Po). 
The way a device is accessed is not through the real path in Bt but through the 
path in the string of B{Pj)’s. (See Figure 5.) 

Broadcast and Multicast. Broadcast in a group Gi becomes a little more 
complicate because, although device a; is a descendant of Gi in T, Gi may not 
be on the accessing path from Gq to x. However, if Gi € Pj, then the accessing 
path to any descendant of Gi must pass a node in the prefix of Pj from h{Pj) 
to Gi. So, to broadcast in Gi, it is sufficient to encrypt the message by the keys 
in B{Pj) that cover this prefix of Pi. In the full version, we show that, with the 
dynamic tree scheme, it takes 0(log |Pj|) encryptions to broadcast a message in 
any group Gi € Pj, either in worst case or in average. 

Key Updates. We follow the dynamic tree operations in [22] to modify the 
hierarchy, and update the keys in the accessing path of the updated item as in 
the LKH scheme. Dynamic tree operations dynamically change the solid path 
partition to guarantee the 0(log n) running time, and such change is carried out 
by the biased tree operations among B{Pj)’s. Therefore, operation secure-tilt 
preserves the security properties along any accessing path. The dynamic tree 
operations we use are as follows: 

— splice(Pj): extend Pj by converting the edge from t{Pj) to its parent solid, 
and the edge between sibling(t{Pi)) and its parent dashed. 
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— slice(Pj): Let (x,y) be the upper most edge in Pj such that y is not the 
heavier child of x, if there exist such edges in Pj . Then cut Pj by converting 
{x,y) into dashed and {x, sibling (y)) into solid. 

“ expose(x): make the path from x to Go (the real path in Bt) into a single 
solid path by a series of splices. 

— conceal{Pj): convert every edge in Pj who does not link to a heavier child of 
parent into dashed by a series of slices. 

— link{x, y): combine two dynamic trees by making y the parent of x, where x 
is the root of the first tree and y is a node in the second. 

— cut{x)\ divide a dynamic tree into two by deleting the edge between x and 
p{x). 

Inserting or deleting a device or a group corresponds to a link or cut operation, 
respectively. Such dynamic tree operation take 0(log n) time and can be reduced 
to a series of join and split operation on biased trees. The algorithmic template 
for a dynamic tree operation is the expose-and-conceal strategy, described as 
follows: 

1. perform expose(x) on a node x; 

2. if the above expose operation violates the “partition by weight” property, 
restore the property by executing conceal(Pj) on the appropriate path Pj. 

Since all the dynamic tree operations reduce to a series of biased tree opera- 
tions, operation secure-tilt is still the only subroutine that adjusts the partition 
of T{Pj)’s. Notice that the structure Bt is never adjusted, but the accessing 
path to each device x are adjusted through operations. From [22], we know that, 
with partition by weight and representing the solid paths as global biased trees, 
any dynamic tree operation takes O(logn) time. Since a hierarchy modification 
consists of a dynamic tree operation plus updating the keys in an access path, 
which is also of length O(logn), the efficiency of key updating for hierarchy 
modifications follows. 

Theorem 3. Given a multicast tree T with n devices, under the log-key re- 
striction, structured in m groups, the dynamic tree scheme for T has O(logm) 
broadcast cost and O(logn) revocation and insertion cost. 

A zero-state version can also be developed, which uses the biased trees and 
broadcast scheme to send messages to the unrevoked leaves in a multicast tree 
T using O(rlogn) broadcasts for devices storing O(logn) keys each, where r is 
the number of revoked devices. 
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Abstract. In a recent paper Dinur and Nissim considered a statistical 
database in which a trusted database administrator monitors queries 
and introduces noise to the responses with the goal of maintaining data 
privacy [5]. Under a rigorous definition of breach of privacy, Dinur and 
Nissim proved that unless the total number of queries is sub-linear in the 
size of the database, a substantial amount of noise is required to avoid a 
breach, rendering the database almost useless. 

As databases grow increasingly large, the possibility of being able to 
query only a sub-linear number of times becomes realistic. We further 
investigate this situation, generalizing the previous work in two impor- 
tant directions: multi-attribute databases (previous work dealt only with 
single-attribute databases) and vertically partitioned databases, in which 
different subsets of attributes are stored in different databases. In addi- 
tion, we show how to use our techniques for datamining on published 
noisy statistics. 

Keywords: Data Privacy, Statistical Databases, Data Mining, Vertically 
Partitioned Databases. 



1 Introduction 

In a recent paper Dinur and Nissim considered a statistical database in which 
a trusted database administrator monitors queries and introduces noise to the 
responses with the goal of maintaining data privacy [5] . Under a rigorous defini- 
tion of breach of privacy, Dinur and Nissim proved that unless the total number 
of queries is sub-linear in the size of the database, a substantial amount of noise 
is required to avoid a breach, rendering the database almost useless^. However, 
when the number of queries is limited, it is possible to simultaneously preserve 
privacy and obtain some functionality by adding an amount of noise that is a 
function of the number of queries. Intuitively, the amount of noise is sufficiently 
large that nothing specific about an individual can be learned from a relatively 
small number of queries, but not so large that information about sufficiently 
strong statistical trends is obliterated. 

^ For unbounded adversaries, the amount of noise (per query) must be linear in the 
size of the database; for polynomially bounded adversaries, Q{^/n) noise is required. 

M. Franklin (Ed.): CRYPTO 2004, LNCS 3152, pp. 528-544, 2004. 

(c) International Association for Cryptologic Research 2004 
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As databases grow increasingly massive, the notion that the database will be 
queried only a sub-linear number of times becomes realistic. We further inves- 
tigate this situation, significantly broadening the results in [5], as we describe 
below. 

Methodology. We follow a cryptography-flavored methodology, where we con- 
sider a database access mechanism private only if it provably withstands any 
adversarial attack. For such a database access mechanism any computation over 
query answers clearly preserves privacy (otherwise it would serve as a privacy 
breaching adversary). We present a database access mechanism and prove its 
security under a strong privacy definition. Then we show that this mechanism 
provides utility by demonstrating a datamining algorithm. 

Statistical Databases. A statistical database is a collection of samples that are 
somehow representative of an underlying population distribution. We model 
a database as a matrix, in which rows correspond to individual records and 
columns correspond to attributes. A query to the database is a set of indices 
(specifying rows), and a Boolean property. The response is a noisy version of the 
number of records in the specified set for which the property holds. (Dinur and 
Nissim consider one-column databases containing a single binary attribute.) The 
model captures the situation of a traditional, multiple-attribute, database, in 
which an adversary knows enough partial information about records to “name” 
some records or select among them. Such an adversary can target a selected 
record in order to try to learn the value of one of its unknown sensitive at- 
tributes. Thus, the mapping of individuals to their indices (record numbers) is 
not assumed to be secret. For example, we do not assume the records have been 
randomly permuted. 

We assume each row is independently sampled from some underlying distri- 
bution. An analyst would usually assume the existence of a single underlying 
row distribution D, and try to learn its properties. 

Privacy. Our notion of privacy is a relative one. We assume the adversary knows 
the underlying distribution D on the data, and, furthermore, may have some a 
priori information about specific records, e.g., “p - the a priori probability that 
at least one of the attributes in record 400 has value 1 - is .38”. We anlyze 
privacy with respect to any possible underlying (row) distributions {Di}, where 
the ith. row is chosen according to Di. This partially models a priori knowledge 
an attacker has about individual rows (i.e. Di is D conditioned on the attacker’s 
knowledge of the fth record). Continuing with our informal example, privacy is 
breached if the a posteriori probability (after the sequence of queries have been 
issued and responded to) that “at least one of the attributes in record 400 has 
value F’ differs from the a priori probability p “too much” . 

Multi- attribute Sub-linear Queries (SuLQ) Databases. The setting studied in [5], 
in which an adversary issues only a sublinear number of queries (SuLQ) to a 
single attribute database, can be generalized to multiple attributes in several 
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natural ways. The simplest scenario is of a single fc-attribute SuLQ database, 
queried by specifying a set of indices and a k-ary Boolean function. The re- 
sponse is a noisy version of the number of records in the specified set for which 
the function, applied to the attributes in the record, evaluates to 1. A more 
involved scenario is of multiple single-attribute SuLQ databases, one for each 
attribute, administered independently. In other words, our ^-attribute database 
is vertically partitioned into k single-attribute databases. In this case, the chal- 
lenge will be datamining: learning the statistics of Boolean functions of the at- 
tributes, using the single-attribute query and response mechanisms as primitives. 
A third possibility is a combination of the first two: a fc-attribute database that 
is vertically partitioned into two (or more) databases with k\ and k 2 (possibly 
overlapping) attributes, respectively, where fci -bfe > k. Database i, i = 1, 2, can 
handle fc^-ary functional queries, and the goal is to learn relationships between 
the functional outputs, eg, “If /i(aiq, . . . , holds, does this increase the 

likelihood that / 2 (a 2 ,i • ■ • , 0 : 2 , fea) holds?”, where fi is a function on the attribute 
values for records in the fth database. 

1.1 Our Results 

We obtain positive datamining results in the extensions to the model of [5] 
described above, while maintaining the strengthened privacy requirement: 

1. Multi-attribute SuLQ databases: The statistics for every A:-ary Boolean func- 
tion can be learned^. Since the queries here are powerful (any function), it is 
not surprising that statistics for any function can be learned. The strength 
of the result is that statistics are learned while maintaining privacy. 

2. Multiple single-attribute SuLQ databases: We show how to learn the statis- 
tics of any 2-ary Boolean function. For example, we can learn the fraction of 
records having neither attribute 1 nor attribute 2, or the conditional proba- 
bility of having attribute 2 given that one has attribute 1. The key innovation 
is a procedure for testing the extent to which one attribute, say, a, implies 
another attribute, /?, in probability, meaning that Pr[/3|a] = Pr[/3]-|- A, where 
A can be estimated by the procedure. 

3. Vertically Partitioned /c-attribute SuLQ Databases: The constructions here 
are a combination of the results for the first two cases: the k attributes are 
partitioned into (possibly overlapping) sets of size k\ and ^ 2 , respectively, 
where ki + k 2 > k; each of the two sets of attributes is managed by a multi- 
attribute SuLQ database. We can learn all 2-ary Boolean functions of the 
outputs of the results from the two databases. 

We note that a single-attribute database can be simulated in all of the above 
settings; hence, in order to preserve privacy, the sub-linear upper bound on 
queries must be enforced. How this bound is enforced is beyond the scope of this 
work. 

^ Note that because of the noise, statistics cannot be learned exactly. An additive error 
on the order of is incurred, where n is the number of records in the database. 

The same is true for single-attribute databases. 
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Datamining on Published Statistics. Our technique for testing implication in 
probability yields surprising results in the real-life model in which confidential 
information is gathered by a trusted party, such as the census bureau, who pub- 
lishes aggregate statistics. Describing our results by example, suppose the bureau 
publishes the results of a large (but sublinear) number of queries. Specifically, for 
every, say, triple of attributes (oi, 02 , era), and for each of the eight conjunctions 
of literals over three attributes (did 2 d 3 , did 2 <a 3 , ■ • ■ , afe- 20 :fc-iQ;fe), the bureau 
publishes the result of several queries on these conjunctions. We show how to 
construct approximate statistics for any binary function of six attributes. (In 
general, using data published for f-tuples, it is possible to approximately learn 
statistics for any 2£-ary function.) Since the published data are the results of 
SuLQ database queries, the total number of published statistics must be sub- 
linear in n, the size of the database. Also, in order to keep the error down, 
several queries must be made for each conjunction of literals. These two facts 
constrain the values of £ and the total number k of attributes for which the result 
is meaningful. 

1.2 Related Work 

There is a rich literature on confidentiality in statistical databases. An excellent 
survey of work prior to the late 1980’s was made by Adam and Wortmann [2]. 
Using their taxonomy, our work falls under the category of output perturbation. 
However, to our knowledge, the only work that has exploited the opportunities 
for privacy inherent in the fact that with massive of databases the actual number 
of queries will be sublinear is Sect. 4 of [5] (joint work with Dwork). That work 
only considered single-attribute SuLQ databases. 

Fanconi and Merola give a more recent survey, with a focus on aggregated 
data released via web access [10]. Evfimievski, Gehrke, and Srikant, in the Intro- 
duction to [7], give a very nice discussion of work in randomization of data, in 
which data contributors (e.g., respondents to a survey) independently add noise 
to their own responses. A special issue (Vol.l4, No. 4, 1998) of the Journal of Of- 
ficial Statistics is dedicated to disclosure control in statistical data. A discussion 
of some of the trends in the statistical research, accessible to the non-statistician, 
can be found in [8] . 

Many papers in the statistics literature deal with generating simulated data 
while maintaining certain quantities, such as marginals [9] . Other widely-studied 
techniques include cell suppression, adding simulated data, releasing only a sub- 
set of observations, releasing only a subset of attributes, releasing synthetic or 
partially synthetic data [13,12], data-swapping, and post-randomization. See 
Duncan (2001) [6]. 

R. Agrawal and Srikant began to address privacy in datamining in 2000 [3]. 
That work attempted to formalize privacy in terms of confidence intervals (in- 
tuitively, a small interval of confidence corresponds to a privacy breach), and 
also showed how to reconstruct an original distribution from noisy samples (i.e., 
each sample is the sum of an underlying data distribution sample and a noise 
sample), where the noise is drawn from a certain simple known distribution. 
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This work was revisited by D. Agrawal and C. Aggarwal [1], who noted that it 
is possible to use the outcome of the distribution reconstruction procedure to 
significantly diminish the interval of confidence, and hence breach privacy. They 
formulated privacy (loss) in terms of mutual information, taking into account 
(unlike [3]) that the adversary may know the underlying distribution on the data 
and “facts of life” (for example, that ages cannot be negative). Intuitively, if the 
mutual information between the sensitive data and its noisy version is high, then 
a privacy breach occurs. They also considered reconstruction from noisy sam- 
ples, using the EM (expectation maximization) technique. Evfimievsky, Gehrke, 
and Srikant [7] criticized the usage of mutual information for measuring privacy, 
noting that low mutual information allows complete privacy breaches that hap- 
pen with low but significant frequency. Concurrently with and independently of 
Dinur and Nissim [5] they presented a privacy definition that related the a priori 
and a posteriori knowledge of sensitive data. We note below how our definition 
of privacy breach relates to that of [7, 5] . 

A different and appealing definition has been proposed by Chawla, Dwork, 
McSherry, Smith, and Wee [4], formalizing the intuition that one’s privacy is 
guaranteed to the extent that one is not brought to the attention of others. We 
do not yet understand the relationship between the definition in [4] and the one 
presented here. 

There is also a very large literature in secure multi-party computation. In 
secure multi-party computation, functionality is paramount, and privacy is only 
preserved to the extent that the function outcome itself does not reveal infor- 
mation about the individual inputs. In privacy-preserving statistical databases, 
privacy is paramount. Functions of the data that cannot be learned while pro- 
tecting privacy will simply not be learned. 

2 Preliminaries 

Notation. We denote by neg(n) (read: negligible) a function that is asymptoti- 
cally smaller than any inverse polynomial. That is, for all c > 0, for all sufficiently 
large n, we have neg(n) < 1/n'^. We write 0{T{n)) for T(n) • polylog(n). 



2.1 The Database Model 

In the following discussion, we do not distinguish between the case of a verti- 
cally partitioned database (in which the columns are distributed among several 
servers) and a “whole” database (in which all the information is in one place). 

We model a database as an n x A: binary matrix d = {dij}. Intuitively, the 
columns in d correspond to Boolean attributes ai, . . . , ak, and the rows in d 
correspond to individuals where dij = 1 iff attribute aj holds for individual i. 
We sometimes refer to a row as a record. 

Let T> he a, distribution on {0,1}^. We say that a database d = {dij} is 
chosen according to distribution T> if every row in d is chosen according to T>, 
independently of the other rows (in other words, d is chosen according to I?"). 




Privacy-Preserving Datamining on Vertically Partitioned Databases 533 



In our privacy analysis we relax this requirement and allow each row i to be 
chosen from a (possibly) different distribution T>i. In that case we say that the 
database is chosen according to x • • • x 

Statistical Queries. A statistical query is a pair {q,g), where q C [n] indicates a 
set of rows in d and g : {0, 1}^ ^ {0, 1} denotes a function on attribute values. 
The exact answer to {q, g) is the number of rows of d in the set q for which g 
holds (evaluates to 1): 

■ ■ -,di,k) = \{i-.i G q and g{di^i, ■ . -,di^k) holds}]. 

iGq 

We write (q^j) when the function y is a projection onto the jth element: 
g(xi, . . . ,Xk) = Xj. In that case (q,j) is a query on a subset of the entries in 
the jth column: aqj = ^i,j- When we look at vertically partitioned single- 

attribute databases, the queries will all be of this form. 

Perturbation. We allow the database algorithm to give perturbed (or “noisy”) 
answers to queries. We say that an answer dqj is within perturbation £ if \dqj — 
Ogj'l < £■ Similarly, a database algorithm A is within perturbation £ if for every 
query (q,g) 

Pr[|-4(g,g) - aqj <£] = l- neg(n). 

The probability is taken over the randomness of the database algorithm A. 

2.2 Probability Tool 

Proposition 1. Let s\, . . . ,St he random variables so that |E[si]| < a and js^j < 
f3 then 

T 

Pr[| ^ st\ > A(a -I- P)Vt + t(3] < 2e~^ 

i=l 

Proof. Let z[ = Si — E[si], hence jz'j < a + (3. Using Azuma’s inequality^ we 
get that Pr[Xf=i2' > \{a + < 2e~^^ . As jXlLiSil = ITnLi ^' + 

ELEN|<|Er=i z'\ +tf3 the proposition follows. 

3 Privacy Definition 

We give a privacy definition that extends the definitions in [5, 7]. Our definition 
is inspired by the notion of semantic security of Goldwasser and Micali [11]. We 
first state the formal definition and then show some of its consequences. 

Let be the a priori probability that dij = 1 (taking into account that 
we assume the adversary knows the underlying distribution T>i on row i. In 

® Let Ao, . . . , Xm be a martingale with j Ai+i — Aij < 1 for all 0 < i < m. Let A > 0 
be arbitrary. Azuma’s inequality says that then Y’x[Xm > X^/rn] < A, 
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general, for a Boolean function / : {0, 1}^ ^ {0, 1} we let Pq^ be the a priori 
probability that . . . ,di^k) = 1- We analyze the a posteriori probability 

that /(fiip, . . . , di^k) = 1 given the answers to T queries, as well as all the values 
in all the rows of d other than i: di>j for all i' ^ i. We denote this a posteriori 
probability pj.^ . 



Confidence. To simplify our calculations we follow [5] and define a monotoni- 
cally-increasing 1-1 mapping conf : (0, 1) ^ IR as follows: 



conf(p) = log 



P 

1-p' 



Note that a small additive change in conf implies a small additive change in 
p Let contp-^ = log ij and conf^-^ = log ■ We write our privacy 

1 Pq 1 Prp 

requirements in terms of the random variables Z\conf*’^ defined as®: 

Z\conf*’^ = I conf — conf^’-^j. 



Definition 1 ((<5, T)-Privacy). A database access mechanism is {5,T)-private 
if for every distribution V on {0, 1}^, for every row index i, for every function 
f : {0, 1}^ ^ {0, 1}, and for every adversary A making at most T queries it 
holds that 

Pr[Z\conf*’^ > i5] < neg(n). 

The probability is taken over the choice of each row in d according to V, and the 
randomness of the adversary as well as the database access mechanism. 

A target set f is a set of fc-ary Boolean functions (one can think of the 
functions in F as being selected by an adversary; these represent information it 
will try to learn about someone). A target set F is 5-safe if AconF’^ < 5 for 
all i G \n] and f G F. Let F be a target set. Definition 1 implies that under a 
(<5, T)-private database mechanism, F is (5-safe with probability 1 — neg(n). 

Proposition 2. Consider a {5,T)-private database with k = 0(logn) attributes. 
Let F be the target set containing all the 2^ Boolean functions over the k at- 
tributes. Then, Pr[F is 25-so/e] = 1 — neg(n). 

Proof Let F' be a target set containing all 2^ conjuncts of k attributes. We 
have that |F'| = poly(n) and hence F' is 5-safe with probability 1 — neg(n). 

To prove the proposition we show that F is safe whenever F' is. Let f G F 
be a Boolean function. Express / as a disjunction of conjuncts of k attributes: 

^ The converse does not hold - conf grows logarithmically in p for p ~ 0 and logarith- 
mically in 1/(1 — p) for p « 1. 

® Our choice of defining privacy in terms of Aconf*’-^ is somewhat arbitrary, one could 
rewrite our definitions (and analysis) in terms of the a priori and a posteriori proba- 
bilities. Note however that limiting Aconf*’-^ in Definition 1 is a stronger requirement 
than just limiting \pf-^ — Pq^\. 
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/ = Cl V . . . V Cf . Similarly, express as the disjunction of the remaining 2^ — £ 
conjuncts: ^/ = di V . . . V c? 2 fc_^. (So {ci, . . . ,a,di, . . . , ^ 2 '=-^} = F-) 

We have: 



Z\conf*’-^ = 



log 



(pI. 

W 



P^\ 




Ept"v ■ 



Let k maximize | log(p^'^*'/pQ'^*’)| and k' maximize | log(pg‘^*’'/PT'^*’')l- Us- 
ing I log(^ Oi/ ^ 6i)| < maxj |log(ai/6i)| we get that Z\conf*U < |Z\conr’'^*’ | -|- 
|Z\conf*’‘^*’' I < 26, where the last inequality holds as Ck,dk' G F'. 



{6, T) -Privacy vs. Finding Very Heavy Sets. Let / be a target function and 
6 = u!{^/ri}. Our privacy requirement implies S' = (5'(i5, Pr[/(ai, . . . , a^]) such 
that it is infeasible to find a “very” heavy set q C [n], that is, a set for which 
Qqj > |g| {S' Pr[/(ai, . . . , afe)]). Such a J'-heavy set would violate our privacy 
requirement as it would allow guessing /(ai, . . . , Ofc) for a random record in q. 



Relationship to the Privacy Definition of [7]. Our privacy definition extends the 
definition of po-to-pi privacy breaches of [7]. Their definition is introduced with 
respect to a scenario in which several users send their sensitive data to a center. 
Each user randomizes his data prior to sending it. A po-to-pi privacy breach 
occurs if, with respect to some property /, the a priori probability that / holds 
for a user is at most po whereas the a posteriori probability may grow beyond 
Pi (i.e. in a worst case scenario with respect to the coins of the randomization 
operator). 



4 Privacy of Multi-attribute SuLQ Databases 

We first describe our SuLQ Database algorithm, and then prove that it preserves 
privacy. 

Let T{n) = 0{n"), c < 1, and define R = (T{n)/S‘^) ■ log^ n for some /i > 0 
(taking /i = 6 will work). To simplify notation, we write di for {di^i, . . . ,di^k), 
g{i) for g{di) = g(d*,i, . . . ,d*,fc) (and later f{i) for f{di)). 



SuLQ Database Algorithm A 
Input: a query {q,g). 

1. Let = X/ieiJ 5(*) 9{di,i, ■ ■ ■ , di^k)^ ■ 

2. Generate a perturbation value: Let (ei,...,Ci^) Gr {0, 1}-^ and £ 
Ef=ie.-i?/2. 

3. Return dq^g = Oq^g £. 



Note that £ is a binomial random variable with E[£] = 0 and standard devi- 
ation \Pr. In our analysis we will neglect the case where £ largely deviates from 
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zero, as the probability of such an event is extremely small: Pr[|£| > VRlog^ n] = 
neg(n). In particular, this implies that our SuLQ database algorithm A is within 
0{^/T{n)) perturbation. 

We will use the following proposition. 

Proposition 3. Let B he a binomially distributed random variable with expec- 
tation 0 and standard deviation \/R. Let L he the random variable that takes the 
value log ^ ^ • Then 

= log • For 0 < B < ^/Rlog^ n this value is 

bounded by 0(log^ n/VR)). 

2. E[L] = 0{1/R), where the expectation is taken over the random choice of B. 



Proof. 1 . The equality follows from the symmetry of the Binomial distribution 
(i.e. Pr[B] =Pr[-B]). 

To prove the bound consider log(Pr[B]/ Pr[B + 1]) = log((^^^^)/ 

(k/2+b+i) “ log fl/2-B-i ■ Using the limits on B and the definition of R we 

get that this value is bounded by log(l + 0(log^ n/\/~R)) = 0(log^ n/\/~R). 
2. Using the symmetry of the Binomial distribution we get: 



E[h]= 5] 

0<B<R/2 



R 

R/2 + BJ 



log 



R/2 + B + 1 
R/2-B 



+ log 



R/2-B-\-l 
R/2 + B 



0<B<log2 ny/R 



R+l \ 
i?2/4 - 



+ neg(n) = 



0{1/R) 



Our proof of privacy is modeled on the proof in Section 4 of [5] (for single 
attribute databases). We extend their proof (i) to queries of the form (g, g) where 
g is any k-axy Boolean function, and (ii) to privacy of fc-ary Boolean functions /. 

Theorem 1. Let T{n) = 0(n'^) and S = \/0(rf ) for 0 < c < 1 and 0 < 
c' < c/2. Then the SuLQ algorithm A is {S,T{n)) -private within 0{y^T{n) / S) 
perturbation. 

Note that whenever yjT{n)/6 < y/n bounding the adversary’s number of 
queries to T{n) allows privacy with perturbation magnitude less than ^Jn. 

Proof. Let T{n) be as in the theorem and recall R = (T{n)/S^) ■ log^ n for some 
^ > 0 . 

Let the T = T{n) queries issued by the adversary be denoted {qi, gi), . . . , 
Let di = A{qi, gi), . . . ,dt = A{qT,gT) be the perturbed answers to 
these queries. Let i G [n] and / : {0, 1}^ ^ {0, 1}. 

We analyze the a posteriori probability pi that f{i) = 1 given the answers to 
the first £ queries (oi, . . . , di) and (where denotes the entire database 
except for the zth row). Let conf^ = log 2 P^/(l — pe)- Note that conf^ = conf^l^ 
(of Section 3), and (due to the independence of rows in d) confo = confg^. 
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By the definition of conditional probability® we get 

pe _ Pr[/(i) = l|di, ■ ■ ■ _ Pr[ai, ...,ae A f{i) = l|dl~d] _ Num 

1— Pr[/(i) = 0|di, . . . Pr[di, . . . , or A /(i) = 0|dl“d] Denom' 

Note that the probabilities are taken over the coin flips of the SuLQ algorithm 
and the choice of d. In the following we analyze the numerator (the denominator 
is analyzed similarly). 



Num = ^ Pr[oi, . . . , Or A di = (r|d^ 

CTe{o,i}*^,/(<T)=i 

= ^ Pr[oi,..., or|di = Pr[di = cr] 



The last equality follows as the rows in d are chosen independently of each 
other. Note that given both di and the random variable or is independent 

of oi, . . . ,dr-i. Hence, we get: 

Num = Pt[cii, . . . ,ae-i\di — a,d^~'^]Pr[at\di = a,d^~'^]Pr[di = a], 

<Te{0,l}*^,/(<r) = l 

Next, we observe that although dr depends on di, the dependence is weak. 
More formally, let cro,cri G {0, 1}^ be such that /(cto) = 0 and /(cti) = 1. Note 
that whenever ge{(j) = gi{<Ji) we have that Pr[dr|di = cr, = Pr[dr|di = 

When, instead, gi{cr) yf gr(o'i), we can relate Pr[dr|di = ct, and 
Pr[dr|di = via Proposition 3: 

Lemma 1. Let a,ai be such that gi{(r) yf gt{a\). Then Pr[dr|di = cr, = 

2*^Pr[dr|dj = where |E[e]| = 0(l/i?) and 

_ ( n/VR) if£<0 

l(-l)®"^‘""^0(log2n/Vi?) if£>0 

and £ is noise that yields dr when di = a. 

Proof. Consider the case gi{(Ti) = 0 {gi{o) = 1). Writing Pr[dr|di = ct, = 
Pr[f = k] and Pr[dr|di = = Pr[£ = k — 1] the proof follows from 

Proposition 3. Similarly for gticri) = 1. 

Note that the value of e does not depend on cr. 

Taking into account both cases {gi{o) = gi{<Ji) and gi{(j) yf gr(o’i)) we get 
Num= ^ Pr[di, . . . ,ar-i|di = cr, Pr[dr|di = (Ti, Pr[di = cr]. 



Le. Vx[Ei\E2] • Vx[E 2] = Pr[Ei A E2] = Pt[E2\Ei] • Pt[Ei]. 
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Let 7 be the probability, over di, that g{cf) ^ g{cri). Letting 7 > 1 be such that 
2 I /7 

= 7 , we have 

Num = 2^/^ Pr[a^|di = (Ti , ^ ^ Pr[ai, . . . ,a,£_i\di = cr,d^~'^^]PT[di = a] 

aG{ 0 ,l}’^ ,f(fr) = l 

= 2 ^^'^ Pr[d£\di = cr-\_,d^~'^^] ^ ^ Pr[di, . . . ,a£-i A di = cr\d^~^^] 

— 2^/'^ Pr[d£\di = cri, Pr[ai, . . . , d£_i A f{i) = 

_ Pr[a£\di = a-\_, d^~^^]Pr[f(i) = l|ai, . . . , a^_i , Pr[ai , . . . , a£_i\d^~^^] 

= 2 ^/^ Pr[d£\di = ai,d^~^^]p£_i Pr[ai , . . . , a£_i\d^~^^] 



and similarly 

Denom = 2*" Fr[di\di = cro,(i^“*7l - Pt-i) Pr[ai, . . . 



Putting the pieces together we get that 



Num 

coni^ = log2 -p: 

Denom 



conf^_i + (e /7 



e'/7') + log2 



Pr[de\d^ = ai,d^ 
Pr[a^|dj = (To, (il-*}] 



Define a random walk on the real line with step^ = conf^ — conf^_i. To 
conclude the proof we show that (with high probability) T steps of the random 
walk do not suffice to reach distance S. From Proposition 3 and Lemma 1 we get 



that 

|E[step,]| = 0(1/ R) = O 



and 

|step,| = 0(log2 n/VR) = O ( ^^J^/ 2 - 2 ^ ) • 
Using Proposition 1 with A = log n we get that for all t <T, 

Pr[|confj — confol > <5] = Pr[| y^step^l > (5] < neg(n). 

i<t 



5 Datamining on Vertically Partitioned Databases 

In this section we assume that the database is chosen according to 2A” for some 
underlying distribution T> on rows, where T> is independent of n, the size of the 
database. We also assume that n, is sufficiently large that the true database 
statistics are representative of T>. Hence, in the sequel, when we write things like 
“Pr[a]” we mean the probability, over the entries in the database, that a holds. 

Let a and /? be attributes. We say that a implies f3 in probability if the 
conditional probability of [3 given a exceeds the unconditional probability of j3. 
The ability to measure implication in probability is crucial to datamining. Note 
that since Pr[/3] is simple to estimate well, the problem reduces to obtaining a 
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good estimate of Pr[/3|a]. Moreover, once we can estimate the Pr[/3|a], we can use 
Bayes’ Rule and de Morgan’s Laws to determine the statistics for any Boolean 
function of attribute values. 

Our key result for vertically partitioned databases is a method, given two 
single-attribute SuLQ databases with attributes a and j3 respectively, to measure 
Pr[/3|a], 

For more general cases of vertically partitioned data, assume a /c-attribute 
database is partitioned into 2 < j < k databases, with (possibly 

overlapping) attributes, respectively, where ki > k. We can use functional 
queries to learn the statistics on fc^-ary Boolean functions of the attributes in the 
zth database, and then use the results for two single-attribute SuLQ databases 
to learn binary Boolean functions of any two functions /q (on attributes in 
database i\) and (on attributes in database 12 ), where 1 < zi,Z 2 < j- 



5.1 Probabilistic Implication 

In this section we construct our basic building block for mining vertically parti- 
tioned databases. 

We assume two SuLQ databases d\ , of size n, with attributes a, fd respec- 
tively. When a implies /3 in probability with a gap of A, we write a ^ P, meaning 
that Pr[/3|a] = Pr[/3] -|- A. We note that Pr[a] and Pr[/3] are easily computed 
within error 0{l/y/n), simply by querying the two databases on large subsets. 
Our goal is to determine A, or equivalently, Pr[/3|a] — Pr[/3]; the method will be 
to determine if, for a given Ai, Pr[/3|a] > Pr[/3] -|- Z\i, and then to estimate A 
by binary search on Z\i. 

Notation. We let Pa = Pr[a], P /3 = Pr[/9], P/ 3 |a = Pr[/3|«] Eind pp\a = Pr[/3|^a]. 

Let X be a random variable counting the number of times a holds when we 
take N samples from T>. Then E[X] = Npa and Var[X] = Npa{l — Pa)- 
Let 



Pp\a=Pl3 + A. (1) 

Note that pp = PaPp\a + (1 ~ Pa)P/ 3 \&- Substituting pp + A for we get 

Pl3\a=Pi3-A ^ , (2) 

-L Pa 

and hence (by another application of Eq. (1)) 

P/3|a P/3|ct ■ (3) 

I- Pa 

We define the following testing procedure to determine, given Z\i, if Z\ > Z\i. 
Step 1 finds a heavy (but not very heavy) set for attribute a, that is, a set q for 
which the number of records satisfying a exceeds the expected number by more 
than a standard deviation. Note that since T{n) = o{n), the noise 
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is so the heavy set really has Npa + f2{VN) records for which a holds. 

Step 2 queries d ,2 on this heavy set. If the incidence of /? on this set sufficiently 
(as a function of Z\i) exceeds the expected incidence of /3, then the test returns 
“1” (ie, success). Otherwise it returns 0. 

Test Procedure T 
Input: Pa, P/3, ^1 > 0. 

1 . Find q €r [n] such that > Npa + Oa where N = jgl and Ua = 

^Npa{l-Pa)- 

Let biaSa = aq,i — Npa- 

2. If ttq ^2 > + biaSa return I, otherwise return 0. 



Theorem 2. For the test procedure F : 

1. If A > Ai, then Pr[T outputs 1] > 1/2. 

2. If A < Ai — e, then Pr[T outputs 1] < 1/2 — j, 

where for e = 6>(I) the advantage 7 = ^{pa,pp,e) is constant, and for e = o(I) 
the advantage 7 = c • £ with constant c = c{pa,pp). 

In the following analysis we neglect the difference between and dgy, since, 
as noted above, the perturbation contributes only low order terms (we neglect 
some other low order terms). Note that it is possible to compute all the required 
constants for Theorem 2 explicitly, in polynomial time, without neglecting these 
low-order terms. Our analysis does not attempt to optimize constants. 

Proof. Consider the random variable corresponding to given 

that q is biased according to Step 1 of T. By linearity of expectation, together 
with the fact that the two cases below are disjoint, we get that 

E[oq,2|biaSa] = {Npa + hia,Sa)pp\a + {N{1 - Pa) - biaSa)p/3|a 
= NpaP/3\a + N{l-pa)pp\a+hiaSa{pp\a ~ P/3|s) 

Z\ 

= NpB + biaSa:; . 

1 -Pa 

The last step uses Eq. (3). Since the distribution of ag ^2 is symmetric around 
E[aq^2|biaSa] we get that the first part of the claim, i.e. if Z\ > Z\i then 

Pr[T outputs 1] = Pr[ag,2 > Npp + biaSg — |biaSc] > 1/2. 

-L Poc 

To get the second part of the claim we use the de Moivre-Laplace theorem 
and approximate the binomial distribution with the normal distribution so that 
we can approximate the variance of the sum of two distributions (when a. holds 
and when a does not hold) in order to obtain the variance of Oq ^2 conditioned 
on biaSo,. We get: 

Var [a ,,2 |bias„] « (IVpa +bias„)p/ 3 |Q(l -p/ 3 |a) -b (1V(1 -pa) -biaSa)p/3|a (1 -P/3|a)- 
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Assuming N is large enough, we can neglect the terms involving biaSa. Hence, 
Var[ag, 2 |biaSa] « N[paP 0 \a + (1 ~ Pa)pp\a] - ^[PaP%a + (1 “ Pa)p||a] 

« - N[paP%a + {l- Pa)p%a\ 

= N[pp - pj] - NA^ ^ < N[pis - pj] = Var^. 

-L Pa 

The transition from the second to third lines follows from [Pap||Q,+(l— Pa)p||g] — 

2 ^ /\2 Pc 7 
Pp ^ 1-Pc ■ 

We have that the probability distribution on aq ^2 is a Gaussian with mean 
and variance at most Npf^ + biaSa(Ai — e)/{l — Pa) and Var^ respectively. 
To conclude the proof, we note that the conditional probability mass of aq ^2 
exceeding its own mean by e • biaSa/(l — Pa) > eaajiX ~ Pa) is at most 



1 _ 

2 y/Var^ 

where <P is the cumulative distribution function for the normal distribution. 
For constant £ this yields a constant advantage 7 . For e = o(l), we get that 

> e <Ta/(l-pa) 

“ 2 ^Var^ 

By taking e = Lu{l/yPn) we can run the Test procedure enough times to 
determine with sufficiently high confidence which “side” of the interval [Z\i — 
e,Ai] A is on (if it is not inside the interval). We proceed by binary search to 
narrow in on Z\. We get: 



Theorem 3. There exists an algorithm that invokes the test T 



times and outputs A such that Pr[|Z\ — A| < e] > 1 — (5. 



6 Datamining on Published Statistics 

In this section we apply our basic technique for measuring implication in prob- 
ability to the real-life model in which confidential information is gathered by 
a trusted party, such as the census bureau, who publishes aggregate statistics. 
The published statistics are the results of queries to a SuLQ database. That is, 
the census bureau generates queries and their noisy responses, and publishes the 
results. 

^ In more detail: + (1 - ~ Pg = - Pa) +P^|,i(l - Pa)Pa - 

2pa.{l-Pa)p0\aPg\a = Pa{l-Pa)[p),\c,+P)i\a-‘^P 0\aP 0\a\ = Pa.{l-Pa)(p0\a-P0\a)'^ = 
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Let k denote the number of attributes (columns). Let i < k /2 he fixed (typi- 
cally, £ will be small; see below). For every ^-tuple of attributes (oi, 02, ■ • ■ , cxe), 
and for each of the 2 ^ conjunctions of literals over these £ attributes, (did2 ■ ■ - ae, 
6:16:2 ■■■ ai, and so on), the bureau publishes the result of some number t of 
queries on these conjunctions. More precisely, a query set q C [n] is selected, 
and noisy statistics for all (^) 2 ^ conjunctions of literals are published for the 
query. This is repeated t times. 

To see how this might be used, suppose £ = 3 and we wish to learn if a 1 02^3 
implies 040:506 in probability. We know from the results in Section 4 that we 
need to find a heavy set q for a\a2a3, and then to query the database on the 
set q with the function 040506- Moreover, we need to do this several times 
(for the binary search). If t is sufficiently large, then with high probability such 
query sets q are among the t queries. Since we query all triples (generally, £- 
tuples) of literals for each query set q, all the necessary information is published. 
The analyst need only follow the instructions for learning the strength A of 
the implication in probability 040203 ^ 040506, looking up the results of the 
queries (rather than randomly selecting the sets q and submitting the queries to 
the database). 

As in Section 4 , once we can determine implication in probability, it is easy 
to determine (via Bayes’ rule) the statistics for the conjunction 040203040506. 
In other words, we can determine the approximate statistics for any conjunction 
of 2 £ literals of attribute values. Now the procedure for arbitrary 2 ^-ary func- 
tions is conceptually simple. Consider a function of attribute values . . . P2i- 
The analyst first represents the function as a truth table: for each possible 2 £- 
tuple of literals over j 3 \ . . . j32t the function has value either zero or one. Since 
these conjunctions of literals are mutually exclusive, the probability (overall) 
that the function has value 1 is simply the sum of the probabilities that each of 
the positive (one- valued) conjunctions occurs. Since we can approximate each of 
these statistics, we obtain an approximation for their sum. Thus, we can approx- 
imate the statistics for each of the Boolean functions of 2 £ attributes. It 

remains to analyze the quality of the approximations. 

Let T = o(n) be an upper bound on the number of queries permitted by the 
SuLQ database algorithm, e.g., T = 0 {n‘^),c < 1 . Let k and £ be as above: k 
is the total number of attributes, and statistics for Ctuples will be published. 
Let e be the (combined) additive error achieved for all {^^‘ 2 '^^ conjuncts with 
probability 1 — 5 . 

Input: a database d = {dij} of dimensions n x k. 

Repeat t times: 

1 . Let q Gr [n]. Output q. 

2 . For all selections of £ indices £ < ji < J2 < ■ ■ ■ < ji < k, output dq^g for 
all the 2 ^ conjuncts g over the literals , ■ • ■ , ctji ■ 



Privacy is preserved as long as t- (2^^) 2 ^^ < T (Theorem 1 ). To determine util- 
ity, we need to understand the error introduced by the summation of estimates. 
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Let s' = e/2^^. If our test results in a s' additive error for each possible conjunct 
of 2£ literals, the truth table method described above allows us to compute the 
frequency of every function of 2^ literals within additive error e (a lot better in 
many cases). We require that our estimate be within error e' with probability 
1 — i5' where 5' = Hence, the probability that a ‘bad’ conjunct exists 

(for which the estimation error is not within e') is bounded by 6. 

Plugging 6' and e' into Theorem 3, we get that for each conjunction of ^ 
literals, the number of subsets q on which we need to make queries is 

t = O (24^(log(l/e) + ^)(log(l/<5) +e\ogk + loglog(l/e))/e2) . 

For each subset q we query each of the (^)2^ conjuncts of £ attributes. Hence, 
the total number of queries we make is 

t • Q^2^ = O {k^2^\log{l/€) + £){log{l/S)+nogk + loglog{l/e))/e^) . 

For constant e,S we get that the total number of queries is 0(2®^fc^£^ log fc). To 
see our gain, compare this with the naive publishing of statistics for all conjuncts 
of 2£ attributes, resulting in { 2 ^ 2 "^^ = queries. 



7 Open Problems 

Datamining of 3-ary Boolean Functions. Section 5.1 shows how to use two SuLQ 
databases to learn that Pr[/3|a] = Pr[/3] -|- A. As noted, this allows estimating 
Pr[f{a, (3)] for any Boolean function /. Consider the case where there exist 
three SuLQ databases for attributes a, (3, 7 . In order to use our test procedure 
to compute Pr[/(o;, (3, 7 )], one has to either to find heavy sets for a A /3 (having 
bias of order I7(y7i)), or, given a heavy set for 7 , to decide whether it is also 
heavy w.r.t. a A/3. It is not clear how to extend the test procedure of Section 5.1 
in this direction. 

Maintaining Privacy for All Possible Functions. Our privacy definition (Defini- 
tion 1 ) requires for every function /(ai, . . . , Ofc) that with high probability the 
confidence gain is limited by some value 6. If k is small (less than log log n), then, 
via the union bound, we get that with high probability the confidence gain is 
kept small for all the 2 ^ possible functions. 

For large k the union bound does not guarantee simultaneous privacy for all 
the 2^ possible functions. However, the privacy of a randomly selected function 
is (with high probability) preserved. It is conceivable that (e.g. using crypto- 
graphic measures) it is possible to render infeasible the task of finding a function 
/ whose privacy was breached. 

Dependency Between Database Records. We explicitly assume that the database 
records are chosen independently from each other, according to some underlying 
distribution D. We are not aware of any work that does not make this assumption 
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(implicitly or explicitly). An important research direction is to come up with 

definition and analysis that work in a more realistic model of weak dependency 

between database entries. 
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Abstract. In the perfectly secure message transmission (PSMT) prob- 
lem, two synchronized non- faulty players (or processors), the Sender S 
and the Receiver R are connected by n wires (each of which facilitates 
2- way communication) ; S has an Abit message that he wishes to send to 
R; after exchanging messages in phases^ R should correctly obtain S’s 
message, while an adversary listening on and actively controlling any set 
of t (or less) wires should have no information about S’s message. 

We measure the quality of a protocol for securely transmitting an i-hit 
message using the following parameters: the number of wires n, the num- 
ber of phases r and the total number of bits transmitted b. The optima 
for n and r are respectively 2t -|- 1 and 2. We prove that any 2- phase 
reliable message transmission protocol, and hence any secure protocol, 
over n wires out of which at most t are faulty is required to transmit 
at least b = ^ 2 t ) bits. While no known protocol is simultaneously 
optimal in both communication and phase complexity, we present one 
such optimum protocol for the case n — 2t + 1 when the size of message 
is large enough, viz., i = Oftlogt) bits; that is, our optimal protocol has 
n = 2f+l,r = 2 and b — 0{nl) bits. Note that privacy is for free, if the 
message is large enough. 

We also demonstrate how randomness can effectively improve the phase 
complexity. Specifically, while the (worst-case) lower bound on r is 2, we 
design an efficient optimally tolerant protocol for PSMT that terminates 
in a single phase with arbitrarily high probability. 

Finally, we consider the case when the adversary is mobile, that is, he 
could corrupt a different set of t wires in different phases. Again, the 
optima for n and r are respectively 2t -|- 1 and 2; However we show that 
b > ^ 2 t ) bits irrespective of r. We present the first protocol that is 
(asymptotically) optimum in b for n — 2t + 1. Our protocol has a phase 
complexity of 0{t). 



1 Introduction 

Consider a synchronous network Af{V,£) represented by an undirected graph 
where V = {Pi, P 2 , ■ ■ ■ , Pn} U {S,R} denotes the set of players (nodes) in 

* Financial support from Infosys Technologies Limited, India, is acknowledged. 

^ A phase is a send from S to R or from R to S or both simultaneously. 

Franklin (Ed.): CRYPTO 2004, LNCS 3152, pp. 545-561, 2004. 
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the network that are connected by 2-way communication links as defined by 
S C V X V ■ The players S and R do not trust the network connecting them. 
Nevertheless, the sender S wishes to securely send a message to the receiver R 
through the network. Security here means that R should receive exactly what 
S sent to him while other players should have no information about it, even 
if up to t of the players (excluding S and R) collude and behave maliciously. 
This problem, known as perfectly secure message transmission (PSMT), was first 
proposed and solved by Dolev et al.[3]. In essence, it is proved in [3] that PSMT 
from S to R across the network Af, tolerating a static^ adversary that corrupts 
up to t players (nodes), is possible if and only if Af is at least {2t + 1)-(S,R)- 
connected^. We use the approach of [3] and abstract away the network entirely 
and concentrate on solving the PSMT problem for a single pair of synchronized 
processors, the Sender S and the Receiver R, connected by some number n of 
wires denoted by wi,W 2 ,- ■ ■ We may think of these wires as a collection of 
vertex-disjoint paths between S and R in the underlying network^. 

The PSMT problem is important in its own right as well as a very useful 
primitive in various secure distributed protocols. Note that if S and R are con- 
nected directly via a private and authenticated link (like what is assumed in 
generic secure multiparty protocols [15,6, 1, 12]), secure communication is triv- 
ially guaranteed. However, in reality, it is not economical to directly connect 
every two players in the network. Therefore, such a complete network can only 
be (virtually) realized by simulating the missing links using SMT protocols as 
primitives. 

In this paper, we shall use the simple and standard model of a synchronous 
network wherein any communication protocol evolves as a series of phases, during 
which the players (S or R) send messages, receive them and perform (polynomial 
time) local computations according to the protocol. 

There are three basic aspects contributing to the quality of an algorithm for 
PSMT: the maximum tolerable number t of faulty wires, the number of phases r, 
and the total number of bits sent b. The optima for the above quality parameters 
are as follows: n = 2t+ 1 [3], r = 2 [13]. The lower bound for b is proved in this 

work to be ^ when r = 2 for any n >2t + 1. 

In the last few years, there have been some attempts toward improving the 
quality of protocols. All protocols proposed so far, securely communicate an 
element of a finite field F ; extending this to securely communicate £ field elements 
would result in a proportional increase of communication complexity. Dolev et 
al. [3] proposed three protocols: the first one with n = 2t-|-l, r = t+1, b = 0{t^£) 
field elements, the second one with n = 2t -|- 1, r = 3, 6 = 0{t^£) field elements 



^ By static adversary, we mean an adversary that decides on the set of players to 
corrupt before the start of the protocol. 

® We say that a network Af is K-{Pi, Pj (-connected if the deletion of no (k — 1) or less 
nodes from Af disconnects Pi and Pj . 

^ The approach of abstracting the network as a collection of n wires is justified using 
Menger’s theorem [8] which states that a graph is c-(S,R)-connected if and only if 
S and R are connected by at least c vert ex- disjoint paths. 
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and the third one with n = 2t + 1, r = 2 and b not polynomial in n. This was 
substantially improved by the protocol of [13], that has n = 2t + 1, r = 2 and 
b = 0{t^£) field elements. The protocol of [14] has n = 2t + 1, r = logt and 
b = logU) field elements. 

However, no known protocol is simultaneously optimal in both b and r. In 
this paper, we present (in Section 4.1) an (asymptotically) optimal protocol to 
perfectly securely transmit a message consisting of £ field elements, viz., our 
protocol has n = 2t + 1, r = 2 and b = 0{t£) field elements, if f = 17(f). Since 
we require the field size to be at least n, this means that the message size is 
l7(tlogf) bits. 

Unfortunately, due to the stringent requirements of privacy and reliability, 
(even optimal) PSMT protocols are not always as efficient as we would like them 
to be in practice. Therefore, one often relaxes either the reliability or the privacy 
requirement, or both, and tries to achieve statistical reliability/privacy. 

Thus, we look for protocols in which the probability that R will receive the 
correct message is 1 — <5 and the probability that the adversary will learn the 
message is e for arbitrarily small S and e. Of course, PSMT is the case e = i5 = 0; 
broadcast satisfies e = 1, (5 = 0, and so on. In [5], a (0, <5)-protocol with n = 2f+l, 
r = 3 and b = O(f^) field elements was presented to securely communicate one 
field element. For an extensive discussion of (e, <5)-secure protocols see [5]. 

In this paper we introduce a new way of relaxing the requirements. We study 
the average case efficiency of SMT protocols, rather than the worst case. We do 
not require that the worst case complexity be polynomially bounded, or even 
finite; we feel that nonterminating protocols that nevertheless complete quickly 
with high probability and have perfect security and reliability are very useful 
constructions. 

In Section 5 we present an optimally fault-tolerant protocol that terminates 
in a single with high probability, and having b = 0(t) field elements. We note that 
the significance of a single phase protocol is more than merely a gain in efficiency 
(in terms of network latency): S and R are not required to be on the network 
at the same time for executing a single phase protocol, and therefore they are 
applicable in a much bigger set of scenarios than are multi-phase protocols. 

Most of the results in the literature model the sender’s distrust in the network 
via a centralized static adversary that can corrupt up to t of the n wires and 
assume the worst-case that the adversary can completely control the behavior 
of the corrupted wires [3, 13]. In line with this, we assume up to section 6 that 
the adversary is static, i.e., he (a) decides on the set of t wires to corrupt before 
the start of the protocol and (b) a wire once corrupted remains so subsequently. 

However, in practice the bound on the number of corrupted wires may depend 
on the total time of the protocol execution. Thus motivated, in section 6 we model 
the faults via a mobile adversary, in line with [10]. In this model, the adversary 
can corrupt any set of wires in the lifetime of the protocol but is constrained to 
corrupt at most t wires in any single phase of the protocol. 

We show that our ideas in the case of static adversaries can be extended 
to withstand mobile adversaries. We prove that the lower bound of 6 = (;^z^) 
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for reliable message transmission holds for mobile adversaries irrespective of the 
number of rounds. We also give a bit-optimal protocol when n = 2t + 1. 

2 Preliminaries 

Notation. Throughout the paper, we use M to denote the message that S wishes 
to securely communicate to R. The message is assumed to be a sequence of i 
elements from the finite field F. The only constraint on F is that its size must be 
no less than the number of wires n. Since we measure the size of the message in 
terms of the number of field elements, we must also measure the communication 
complexity in units of field elements; we follow this convention in the rest of 
the paper. We assume that there exists a publicly specified one-to-one mapping 
a : {1, 2, . . . , n} ^ F. For convenience, we use ai to denote a{i). 

We say that a wire is faulty if it is controlled by the adversary; all other 
wires are called honest. A faulty wire is corrupted in a specific phase if the value 
sent along that wire was changed. When the context makes clear which phase 
is being referred to, we simply say that a wire is corrupted. Observe that a wire 
may be faulty but not corrupted in a particular phase. 

2.1 Efficient Single Phase Reliable Communication 

To reliably communicate a message m, a sequence of k field elements, to R, 
one simple way is for S to send m along each wire - i.e, broadcast. However, 
when n > 2t + 1, where t out of n wires are corrupted, broadcast, requiring 
0{nk) field elements, is not the most efficient method of (single phase) reliable 
communication. Instead, it is possible to use an error- correcting code to improve 
the communication complexity of reliable communication to field elements. 
A block error correcting code encoding a message of k field elements to a codeword 
of n symbols is an injective mapping C : F^ ^ F", (n > k). The encoding function 
is used in conjunction with a decoding function : F" — > F^ with the property 
that if its input differs from a valid codeword in at most t field elements, then 
T> outputs the message corresponding to that codeword. We say that the code 
corrects t errors. Clearly, such a decoding function will always exist if any two 
valid codewords differ in at least 2t-|- 1 symbols, that is, the distance of the code 
d>2t-\-l. 

The efficiency of an error correcting code is subject to the Singleton bound: 

Lemma 1. Let C be a block code which reliably transmits k field elements by 
communicating a total of n field elements and has a distance of d. Then n > 
k d — 1. 

We observe that for a t-error correcting code, the distance d (which is the 
minimum Hamming distance between any two codewords) is at least 2t-|- 1. Thus 
we have 

Corollary 1. Let C be a t-error correcting block code as in lemma 1. Then 
k < n — 2t. 
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We now consider a special class of error correcting codes called Reed-Solomon 
codes (RS codes). 

Definition 1. Let ¥ be a finite field and ai, a 2 , ■ • ■ On be a collection of distinct 
elements of¥. Given k <n < |F|, and a block B = [toq mi . . . mk-i] the encod- 
ing function for the Reed-Solomon code RS{n, k) is defined as [pB(cri) Pb(o 2 ) • ■ • 
Psictn)] where p-b{x) is the polynomial X)i=o^ rriix'' . 

Theorem 1 ([7]). The Reed-Solomon code meets the Singleton bound. □ 

The following special property of the RS-code will be of use in our subsequent 
discussion: 

Lemma 2. Let [pb(oi) Pb(o 2 ) PBictn)] be an RS{n,k)- encoding of Then 
for any n' < n, any subsequence of [pb(q:i) Pb(q: 2 ) PB{cen)] of length n' 
forms a valid RS{n' ,k)- encoding o/B. 

Proof: Easy observation. □ 

Constructing message transmission protocols using error correcting codes is a 
typical application, for example see [2, 11]. We now describe REL-SEND(m, k), 
a protocol for reliable communication obtained by using the corresponding Reed- 
Solomon code RS(n, k). REL-SEND(m, k) will be used as a sub-protocol later on. 



Protocol REL-SEND: optimal single phase reliable message transmission 

of m. 

— S breaks up m into blocks of k field elements. 

— For each block B = [mo mi . . . m^-ij: 

• S computes RS(n, L) to obtain [psicei) pb(q: 2 ) • ■ • PB{cXn)]. 

• S sends pn(o:i) along the wire Wi. 

• R receives the (possibly corrupted) pB(ai)’s and applies the decod- 
ing algorithm and constructs B. 

— R concatenates the B’s to recover the message m. 



We note that the resulting protocol is a single phase protocol. The reverse 
process is equally valid - given a single phase reliable communication protocol, we 
can convert it into a block error correcting code. Thus, the maximum attainable 
efficiency for single phase reliable communication is also subject to the Singleton 
bound. 

Remark: This conversion to an error correcting code is straightforward if the 
messages sent along each wire in the protocol are of the same length. Suppose, 
however, that there is exists a protocol II that does not have this symmetry 
property and beats the Singleton bound. Then consider the protocol IT' which 
consists of n sequential executions of protocol IT with the identities or numbers 
of the wires being “rotated” by a distance of i in the execution. Clearly, this 
protocol achieves the symmetry property by “spreading the load”; further its 
message expansion factor is equal to that of 77'. It therefore beats the Singleton 
bound as well, which is a contradiction. 
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Lemma 3. Suppose that the receiver R knows f faults among the n wires, and 
t' he the number of faulty wires apart from those f. Then REL-SEND{m, k) 
works if n — f >k + 2t' . 

Proof: Since R knows / faults, he simply ignores those wires; and by lemma 2, 
this converts the code into an RS code with parameters n — f and k. The result 
now follows from lemma 1 and theorem 1. □ 

2.2 Extracting Randomness 

In several of our protocols we have the following situation: S and R by some 
means agree on a sequence of n numbers x = [x\,X 2 , - ■ ■ Xn] G IF" such that 

— The adversary knows n — f oi the components of x 

— The adversary has no information about the other / components of x 

— S and R do not necessarily know which values are known to the adversary. 

The goal is for S and R to agree on a sequence of / numbers yi,y 2 , ■ ■ .yp G F 
such that the adversary has no information about y\,y 2 , ■ ■ - yp- This is achieved 
by the following algorithm: 



Algorithm EXTRAND„ j(x). Let V be a n x / Vandermonde ma- 
trix with members in F. This matrix is published as a part of the 
protocol specification. S and R both locally compute the product 
[vi V2 ■■■ yp] = [xi X2 ... a;„]V. 



Lemma 4. The adversary has no information about [yi y 2 ... yp] in algorithm 
EXTRAND. 

Proof. We need to show that there is a bijective mapping between the / tuple 
of values that are not known to the adversary and the / tuple y\,y2, ■ ■ - yp ■ But 
this is a direct consequence of the fact that every /-subdeterminant in an n x / 
Vandermonde matrix is nonzero. 

3 Lower Bound on Communication Complexity 

Theorem 2. Any 2-phase perfectly reliable message transmission (PRMT) of £ 
bits requires communicating ( 

We first observe that a probabilistic polynomial time (PPT) protocol for PRMT 
with a worst-case communication complexity of b bits exists if and only if there is 
a deterministic protocol with the same communication complexity. Since perfect 
reliability is required, the algorithm must succeed for every possible choice of 
coin tosses; in particular, it must succeed when all the random bits of S and R 
are zeroes. Thus we convert any PPT protocol into a deterministic protocol by 
fixing the sequence of coin-tosses to all zeros. Hence, we assume that S and R 
are deterministic polynomial time algorithms. 
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We recall that in a phase, both S and R may simultaneously send messages 
to the other player. If this happens we call it a bidirectional phase. On the other 
hand, if only one of the players sends a message, we call it a unidirectional phase. 

Without loss of generality we assume that in the first phase communication 
is from R to S and in the second phase it is from S to R. (Clearly there is no 
point in communication from R to S in the second phase; similarly if S sends 
any messages to R in the first phase we can consider these to be part of the 
second phase as well.) In the rest of the paper we assume that communication 
in each phase is unidirectional. 

We prove the stronger statement that any 2-phase PRMT of I bits requires 
communicating t least ( 2t ) even against a weaker adversary, namely, one 
that is passive in the first phase. 

Thus, let 7T be a two phase protocol in which Mi is the totality of messages 
sent by R to S in phase I and M 2 the totality of messages sent by S to R in 
phase 2. The steps of 77 are as follows: 

1. R computes M\ and sends it to S. 

2. S, using Ml and the message computes M 2 and sends it to R. 

3. R recovers the message using M 2 . 

In the above protocol, we see that step 1 is “useless”: consider the protocol 
77' in which step 1 is replaced with the following step: 

S and R both locally compute Mi by simulating R’s execution in step 1 of 
77. (Since the adversary is passive. Mi is guaranteed to have been received by S 
in the first phase of 77.) 

It is clear that 77' succeeds whenever 77 succeeds. 

77' being a single phase protocol, can also be viewed as an error correcting 
code. That is, the concatenation of the data sent along all the wires forms the 
codeword. Let Si be the set of possible values of the data sent along the wire Wi. 
Thus, each codeword is of length at least Y^=i log 1^*1) consisting of n elements 
one from each Sj, 1 < 7 < n. Now, the removal of any 27 elements from each 
of the codewords should result in shortened codewords that are all distinct. 
For if any two were identical, the original codewords could have differed only 
among at most 27 elements implying that there exist two original codewords ci 
and C2 and an adversarial strategy such that the receiver’s view is the same on 
the receipt of either ci or C2. In more detail, without loss of generality assume 
that Cl and C2 differ only in their last 27 elements. That is, ci = a o j3 and 
C2 = a o 7, where o denotes concatenation and |/7| = I7I = 27 elements. Let /7i 
denote the first 7 elements of /?, while (32 be the last 7 elements. That is, let 
P = Pi o P 2 , \Pi\ = \P 2 \ = 7elements. Similarly, let 7 = 71 o 72, |7i| = 172] = 7. 
Now, consider the two cases: (a) Ci is sent and the adversary corrupts it to (by 
corrupting the last 7 wires and changing P 2 to 72) a o /7i o 72 and (b) C2 is sent 
and the adversary corrupts it to (by corrupting the penultimate set of 7 wires 
and changing 71 to Pi) ao Pi 072. Thus, the receiver cannot distinguish between 
the receipt of ci and C2, which violates the reliable communication property. 
Therefore, all shortened codewords are distinct and there are as many shortened 
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codewords as original codewords. But the number of shortened codewords is at 
most the minimum YljZi* \^ij I among all (n — 2t) sized subsets (ti , Z2, . . . , in- 2 t) 
of 1, 2, . . . , n. Thus we may sort the |Si|’s in a non-decreasing order and multiply 
the first {n—2t) values to obtain the number of original codewords denoted by C. 
Thus, reliable communication of fc = logC bits incurs a communication cost of 
at least 1^*1 bits. But logC = \^ij I- Thus, in the best case all the 

domains are of equal size and is thus subject to the Singleton bound. By corollary 
to lemma 1, reliable communication oi k = n — 2t bits incurs a communication 
cost of n bits. Since U' communicates an I bit message, it follows that U' has a 
communication complexity of ( ) bits. □ 

Corollary 2. Any 2-phase perfectly reliable message transmission (PRMT) of 
I field elements requires communicating field elements. 

The above corollary follows from the fact that a field element can be repre- 
sented as a string of [log |F|] bits. 

4 An Optimal Protocol for PSMT 

4.1 The PSMT Protocol 

In this section, we present our 2-phase protocol for PSMT for any message that 
is a sequence of £ field elements, with n = 2t 1 and b = 0{t£) field elements, 
for a sufficiently large 1. It turns out that we require I = 17(f) bits. 

Suppose that there exists a protocol that securely transmits a message con- 
sisting of 17(f) field elements with n = 2f-|-l,r = 2 and b = 0{nt) field elements. 
It is evident that for any integer j > 1, tj field elements can be sent in 6 = 0{ntj) 
field elements whilst maintaining n = 2f -|- 1 and r = 2; this is because we can 
run the j sub-protocols in parallel. Setting J = [7I , we obtain a protocol that 
communicates £ field elements by sending 0{n£) field elements. Thus, our goal 
now reduces to the design of a protocol that achieves secure transmission of £2{t) 
field elements over a network of n = 2t 1 wires, in two rounds by communi- 
cating b = 0{nt) field elements. We now present one such protocol. Specifically, 
our protocol sends [|J field elements by sending 0{nt) field elements. 

In our protocol, the first phase is a send from R to S and the second phase is 
from S to R. We denote the set of n wires by W = {w\,W 2 , ■ . ■ , w„}. We assume 
that S wishes to communicate a block, denoted by m, that consists of [|J field 
elements from F. 

Phase I (R to S) 

The receiver R selects at random n polynomials Pi, 1 < z < n over F, each of 
degree f. 

Next, through each wire Wi, R sends the following to S: 

— The polynomial pi ® . 

— For each j, 1 < j < n, the value of Pj{oti) (which we denote by r^), where 
Oi’s are arbitrary distinct publicly specified members of F. 

® We assume that the polynomial is sent by sending a (f -|- l)-tuple of field elements. 
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Phase II (S to R) 

S begins this phase after receiving what R has sent in the first phase. Let S 
receive the polynomial p' and the values rb along the wire Wi. In this phase, S 
must locate all the corruptions that occurred in the previous phase, communicate 
the corruptions and send the message securely. A naive and straightforward way 
of doing this is as follows: communicate the list of 0{v?) contradictions (we say 
that wire i contradicts wire j if rb ^ p' (a^)) among the wires (in the worst case). 
However, there are two problem with this approach: (a) the method requires 
communicating 0{n^) field elements, and (b) such an approach necessitates more 
than two phases. 

We solve the former problem by using a two step technique to communicate 
the list of contradictions. In the first step we broadcast a selected set of contra- 
dictions; this will enable the players to find sufficiently many faults to facilitate 
sending the remaining contradictions in O(n^) field elements using the REL- 
SEND protocol in the second step. The second problem is solved using some 
new techniques described in the sequel. 

S’s computation. 



— S initializes his fault-list, denoted by L fault, to 0. 

— S constructs a directed graph G = (W,A) where arc (wi,Wj) G A if rb 

— Let H = (W,E) be the undirected graph based on G; that is, {wi,Wj) G E 
if (wi,Wj) G A or {wj,Wi) G A. 

— For each i, 1 < i < n, such that the degree of node Wi in the graph H 
constructed above is greater than t (i.e., degree{wi) > t -|- 1), S adds Wi to 

E fault • 

— Let El' = (yV'jE') be the induced subgraph of H on the vertex set W' = 

{yV \L fault) ■ 

— Next, S finds a maximum matching® M C E' of the graph H'; this can be 
done efficiently using the algorithms of [4, 9] . 

— For each arc {wi, wj) in G that does not belong to M, S associates the four- 
tuple {at, aj,r'^p p' (oi)}. Let {oi, 02 , . . . , oat} be the arcs in G that are not 
in M. Replacing each arc with its associated 4-tuple, S gets a set of 4iV field 
elements, X = {Xi, X 2 , ■ ■ ■ , X^n}- 

— Let u= [|J . Next, S creates the 2t -I- u-degree message-carrying polynomial 

■ 5 ( 3 ^) = follows: let m = [womi . . . 

{ rrii if 0 < z < u. 

0 if Wt-u+l G Lfault- 

p'_„+i(0) otherwise. 



A subset M of the edges of R, is called a matching in H if no two of the edges in 
M are adjacent. A matching M is called maximum if H has no matching M' with a 
greater number of edges than M has. 
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— S initializes the set V as follows: 



Y = {s(ai),s(a2), ■■■, s(at+i)} 



— Finally, the sender S selects at random n polynomials qi, 1 < i < n over 
F, each of degree t, such that the values <?i(0) lie on a polynomial of degree 

Lf J- 

— S computes y = [yp yi ... y„-i] = EXTRAND„,„([gi(0) 52 ( 0 ) . . . gn(0)]). 

— For each j, 1 < j < n, let Vij denote the value of qj (at). With each of the N + 
\M\ arcs in the graph G, S associates the four-tuple {«i, aj,Vij and qj{ai)}. 
He initiates the set Z in similar lines as X to contain 4(A^ -I- |M|) field 
elements. 

S’s communication. 



S sends the following to R through all the wires: 

1. The blinded message m 0 y. 

2. The set 

3. For each edge (wi,Wj) G M, the following four field elements: {ai, Oj, rb and 

Along each wire Wi, S sends the following as specified by the REL-SEND(-, •) 
Algorithm: 

1. REL-SEND(A, \M\ + \Lfauit\ + 1). 

2. REL-SEND(y, \M\ + \Lfauit\ + 1). 

3. REL-SEND(Z, \M\ + \Lfauit\ + 1). 

Again, through each wire Wi, S sends the following to R: 

— The polynomial qt. 

— For each j, 1 < j < n, the value of = qj{ai). 

Message recovery by R. 

R receives what S sent in the second phase and locally deciphers the message 
m as follows: 

1 . R reliably receives L fault and knows that the wires in this set are faulty. He 

initializes = L fault ■ 

2. For each arc (wi,Wj) G M, R reliably receives {ai,aj,r'^j andp'(ai)}. He 

? ? 

locally verifies: rb = and p' (oi) = pj{ai). If the former check fails (that 
is the values are unequal), then R adds Wi to L^auit- ^^e latter check fails, 
then R adds wj to L^auit (note that both Wi and Wj may be identified as 
faulty; in any case, at least one of them is guaranteed to be found faulty). 
Thus, at least \M\ new faults are caught in this step. 
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3. From Lemma 5, it is clear that R receives the set X reliably. Again R locally 

verifies for each arc’s (say {wi,Wj)) 4-tuple: rb = and p'(ai) = Pj{ai). 
If the former check fails (that is the values are unequal), then R adds Wi 
to L^auif If III® latter check fails, then R adds wj to L^auit- of 

this step, all the faults that occurred during transmission in Phase I are 
guaranteed to have been identified (see Lemma 6). 

4. We know from Lemma 5 that the R receives the set Y correctly. If the 
number of faults (which are not in L fault) that occurred in Phase I was 
< y , then in the polynomial s(a;), R has < t unknowns and t -|- 1 equations 
(which are bound to be consistent whatever the number of unknowns may 
be, since all faults have been eliminated). Thus, in this case, R obtains the 
message m. 

5. Similarly, from Lemma 5, we know that R receives the set Z correctly. If 
the number of faults (which are not in L fault) that occurred in Phase I was 
> y, then from Lemma 9, we know that R can obtain the message using 
the polynomials q{-) and Z. Thus, in this case too, R obtains the message 

m. 

Lemma 5. R is guaranteed to receive the sets X , Y and Z correctly. 

Proof: From lemma 3, the REL-SEND(-, k) protocol succeeds provided that n — 
/ > k + 2{t — /); here, k = \M\ + \Lfauits\ + 1 and n = 2f -|- 1. Therefore, 
REL-SEND succeeds if {2t + l)~ f- (|M| -h \L faults] + 1) > 2t - 2/, or if, / > 
|M| -I- \ L faults] ■ Since, R is guaranteed to have identified at least |M| -|- ]L faults] 
faulty wires at this stage, the lemma follows. □ 

Lemma 6. If the set X was received correctly, then R can find all the corrup- 
tions that occurred during Phase I. 

Proof: Suppose wire Wi was corrupted in Phase I, i.e, p' yf pi. Then the two 
polynomials can intersect in at most t points. Since there are t-\-l honest wires, 
there is guaranteed to be at least one honest wire which contradicts Wi. Since 
the correct values corresponding to every contradiction have been received by 
R, R can find all the corruptions. □ 

Lemma 7. If the number of corruptions that occurred in Phase I was < y , R 
obtains the polynomial s(x) correctly. 

Proof: To find the message R must find the polynomial s{x). To find s(a;), R 
must find ki for 0 < f < 2t -|- u. Of these R does not yet know ki for 0 < i < u 
and does not know < y of the p((0), a total of at most [|J -|-l-|-y = t-|-l 
field elements. But the set Y gives R t-l- 1 values of s(a;), which yield t-\-l linear 
equations on the coefficients, and using these values R can determine all ki. □ 

Lemma 8. For some i, if the wire Wi was corrupted in Phase I then R can 
correct any corruption of the corresponding qi in Phase II. 
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Proof: Let the in-degree of Wi in G be d. Then there must have been at least 
t — d + 1 corruptions in Phase I (since the number of honest wires is t + 1). 
Thus in the second phase, there are at most 2t+l — {t+1 — d) = t + d legitimate 
wires. The maximum number of faults that R needs to correct in this phase is 
t — {t+1 — d) = d — 1. We verify that these parameters satisfy the constraint in 
lemma 3, and therefore R will be able to correct all corruptions of □ 

Lemma 9. If the set Z was received correctly and if the number of faults that 
occurred in Phase I was > y, then R can obtain the message m. 

Proof: By lemma 8, R can correct all except a maximum of | of the qfs. The 
degree of the polynomial that they lie on is [yj ; since these parameters satisfy 
the constraints of lemma 3, it follows from the correctness of the REL-SEND 
protocol that R can obtain all the qfs and hence m. □ 

Theorem 3. The protocol presented in Section 4-1 achieves perfect reliability. 

Proof: Perfect reliability is a consequence of lemmas 7 and 9. □ 

Lemma 10. For every honest wire Wi, the adversary has no information about 
Pi{0) and qi{0). 

Proof: Obvious, pi is a random polynomial of degree t but the adversary has 
seen only t points on it. The same argument holds for qi as well. □ 

Theorem 4. The protocol presented in Section 4-1 achieves perfect security. 

Proof (sketch): First we prove that the adversary has no information about the 
coefficients ko,ki,. . . ku-i of the polynomial s(a;). There are at least t-l- 1 values 
of Pi(0) which are not known to the adversary. The adversary obtains t-l- 1 linear 
equations on the coefficients kj by knowing the values of s(ai), 3 ( 02 ), • ■ • s(ai-i-i) 
which are sent reliably by S. Thus the adversary has t -I- 1 linear equations on 
u + t+1 unknowns, which implies that he has no information about any u-tuple 
of them. 

Next we observe that among the [yj values of <?i(0), the adversary knows 
at most t, and hence by the security of the EXTRAND algorithm (lemma 4) it 
follows that the adversary gets no information about m. □ 

4.2 Performance 

Theorem 5. Given an undirected graph H = (V, E), with a maximum degree of 
A. and a maximum matchinq M , the number of edges \E\ is less than or equal 
to (2|M|2 + |M|Z\). 

Proof: We first fix a representation of the maximum matching M as & set of 
ordered pairs of vertices as described below. 

We say that a vertex i belongs to vertex-set of the matching, denoted by 
Vertex{M), if there exists another vertex j such that the edge (z, j) G M. A 
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vertex i G V ertex{M) is called the match-vertex if the degree of i in the subgraph 
Hi induced by H over the vertices z U (F \ V ertex{M)) is < 1. 

Given a maximum matching M, a match- vertex z may have at most one 
incident edge Cj = (z, •) in Hi. We call the edge as a match-edge (correspond- 
ing to the match- vertex z). We now define X to be the set of all match-edges 
(corresponding to each of the match- vertices in M). 

Claim. Every edge (z, j) G M has at least one match- vertex. 

Proof: On the contrary, if neither z nor j was a match-vertex, then, both z and 
j are adjacent to at least two vertices in (V \ Vertex(M)). Let z be adjacent to 
vertices u and v in (V \ V ertex{M)) and let j be adjacent to a vertex w (yf u) in 
(V \ Vertex(M)). Now, removing the edge (z, j) from M and adding the edges 
(zz,z) and {j,w) to M gives rise to a new matching in H of size \M\ -\- 1 which 
contradicts the maximality of the matching M. Hence the claim holds. 

Hereafter, we represent every edge in M U X as (z,j) if and only if z is a 
match- vertex; in case of both i and j being match- vertices, z is the one with the 
lower number of corresponding match-edges (ties broken by random choice) . We 
fix one such representation of the edges in M U X. To avoid confusion between 
the unordered pair (z,j) and the ordered pair used in the representation of an 
edge in MUX hereafter, we denote the ordered pair as (z, j). A vertex z belonging 
to Vertex{M) is called a left-vertex if, in the representation of M that we fixed 
earlier, there exists a vertex j such that (z, j) G M. We call all the non-left- 
vertices belonging to M as right-vertices. 

Note that the number of left-vertices is equal to the number of right-vertices 
is equal to \M\. Also note that by definition, every left- vertex is a match- vertex. 

Now, it is easy to place an upper bound on \E\ as follows: the maximum 
number of edges among the 2|M| vertices in V ertex{M) is |M|(2|M| — 1). Again, 
the maximum number of edges from the left- vertices to (V \ Vertex(M)) is 
\M\, since each left vertex is a match- vertex (having at most one edge to (V \ 
Vertex(M))) and there are \M\ left vertices. Furthermore, each right vertex can 
have at most A — 1 edges to (V \ Vertex{M)) (by the definition of A). Thus, 
\E\ < (|M|(2|M| -1) + \M\ + \M\{A - 1)) < {2\M\^ + \M\A). □ 

Theorem 6. The PSMT protocol presented in Section 4-1 communicates 0{f^) 
field elements in order to securely transmit [|J field elements. 

Proof: We have already proved that the protocol securely transmits [|J field ele- 
ments. From the description of the protocol, it is easy to verify that all steps ex- 
cept possibly the invocations of REL-SEND(A, .) and REL-SEND(Z, .) in Phase 
II have a communication cost of Oft^) field elements. Since the maximum degree 
of a node in H' is at most t-\-l and |M| is also at most t -I- 1, from theorem 5 it 
follows that |A| (and hence also \Z\) is 0{{\M\ -\- \Lfauit\)t). Since the efficiency 
of REL-SEND(A, \M\ -\- \Ljauit \ + 1) is — ;;j)) the theorem follows. □ 

The main result now follows from the discussion at the beginning of Section 4.1: 

Corollary 3. There exists a 2-round PSMT protocol that securely communicates 
a message consisting i field elements and has a communication complexity of 
0{nt) field elements when n = 2t -\- 1, if £ = f2{t). 
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5 A Las Vegas Single Phase Protocol 

In this section we present an optimally tolerant (n = 2t + 1) PSMT pro- 
tocol which terminates in a single phase with (arbitrarily) high probability. 
We represent the block of field elements m that S wishes to send to R as 
m = [too to -1 . . . mt]. 



The Single Phase Protocol 

1. S selects at random n polynomials Pi,l < i < n over F, each of degree 
t. 

2. For each wire Wi 

— S sends the polynomial pi through Wi 

— For each j, S randomly selects one of the t points of intersection of 
Pi and pj (denote the selected point by Vij). S ensures that Vij yf ryj. 
S sends through Wi. 

3. S computes y = [j/g ?/i ... Vt] = EXTRAND„,t+i ([pi(0) p2(0) ... 
p„(0)]) and broadcasts m 0 y. 

4. Let p' and rb be the values received by R. We say that wire i contradicts 
wire j if p' and p' do not intersect at rtj . 

5. R checks if there is a wire contradicted by at least 1 0 1 wires. All such 
wires are removed. 

6. If there is at least one contradiction among the remaining wires, R 
broadcasts “FAILURE”; S and R now execute the PSMT protocol of 
section 4.1. 

7. If there is no contradiction, R corrects the polynomials pi(.) of each 
corrupted wire Wi (i.e, he “corrects” those wires) using the values of Vij 
received along the uncorrupted wires. R now knows all the polynomials 
Pi- 

8. R computes y = [yo yi ■■■ yt] = EXTRAND„,t+i([pi(0) p2(0) ... 
p„(0)]) and recovers m = (m © y) © y. 



Let e be a bound on the probability that the protocol does not terminate 
in a single phase. We require that the size of the field F be 17(2^), for some 
polynomial Q{n), but this is of course acceptable since the complexity of the 
protocol increases logarithmically with field size. We now discuss the correctness 
of the protocol. 

Lemma 11. R will never output an incorrect value. 

Proof. Since any corruption involves changing the polynomial corresponding to 
that wire, it is clear that no corrupted wire can escape contradiction by at least 
one other wire. If p and p' agree on t + I points (corresponding to the t + I 
honest wires) then p and p' must be equal. Therefore, at the start of step 7, all 
the wires which were used in calculation of the output could not have corrupted 
their values. This guarantees that R’s output in step 8 is correct. □ 



Lemma 12. The protocol terminates in a single phase with high probability. 
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Proof. Since no uncorrupted wire changes the value sent on the wire, it follows 
that no honest wire can contradict another honest wire. Thus, if wire i contra- 
dicts wire j, then either wire i or wire j is faulty. From this it is easy to see that 
an honest wire can be contradicted by at most t other wires, and therefore any 
wire that is contradicted t -I- 1 or more wires has to be faulty. Hence R can be 
sure that all the wires removed by him are indeed faulty. 

We need to show that if a wire is corrupted, then it will be contradicted by 
all the honest players with high probability. Let tt^ be the probability that the 
corrupted wire j will not be contradicted by i. This means that the adversary 
can ensure that pj (r^ ) = p' {vij ) with a probability of tt^ . Since there are only 
t points at which these two polynomials intersect, this allows the adversary to 
guess the value of with a probability of at least ^ . But since nj was selected 
uniformly in F, the probability of guessing it is at most prj-. Therefore we have 

'’^ij < ||^ for each i,j. Thus the total probability that the adversary can find i,j 
such that corrupted wire j will not be contradicted by i is at most j nij < 

Since F is chosen such that |F| > ^ follows that the protocol terminates 

in a single phase with probability > 1 — e if we set Q{n) = n^. □ 

Lemma 13. The adversary gains no information about the message. 

Proof: We observe that the adversary has no information about Pi{0) for each 
honest wire Wi. This is because pi is a random polynomial of degree t and the 
adversary has seen only t points on it (one corresponding to each faulty wire.) 
The proof now follows from lemma 4. □ 



6 Mobile Adversaries 

6.1 Lower Bound on Bit Complexity 

The lower bound on the bit complexity of perfectly reliable message transmission 
proved in section 3 holds for mobile adversaries with no restriction on the number 
of phases. We give below a brief sketch of the proof. 

Since the adversary can corrupt a different set of wires in each phase, the 
protocol cannot adapt as it finds corrupted wires; thus it can be considered to be 
memory less. Therefore the total number of bits transmitted reliably is no more 
than the sum of the number of bits transmitted reliably in each phase; we have 
already shown in section 3 that the Singleton bound implies a lower bound of 
for a single phase; therefore this bound holds for multiple phase protocols 
as well. 

6.2 An Optimal Protocol 

The protocol with optimal fault tolerance and optimal communication complex- 
ity is presented below. Let m be a block of t -I- 1 held elements that S wishes to 
communicate securely to R. 
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The Optimal Protocol 

1. S selects at random n polynomials Pi, ^ < i < n over F, each of de- 
gree t and sends through each wire Wi, the polynomial pi and the set 
{Pj{o^i)}l<j<n- 

2. After the completion of Phase I, R has computed the directed graph 
G of contradictions among the wires. The rest of the protocol involves 
finding all the wires that were corrupted in phase I using the graph G 
as follows: 

While there exists a wire Wj in G that contradicts another wire Wi 
— R broadcasts i, j, p'iiaj) and rb to S. 

— S uses this information to determine which of Wi and Wj is faulty 
and broadcasts the identity of the faulty wire to R. 

R removes the faulty wire from the protocol, i.e, sets G to the 
projection of G onto the remaining wires. 

3. R now knows all the wires which were corrupted in phase I. Thus he can 
now use the rij values from the uncorrupted wires to find the correct 
values of the corrupted wires. 

4. S and R both compute y = [yo Ui • ■ • Vt] = EXTRAND„ ,t-ei([Pi(0) 

P2(0) ... p„(0)]). 

5. S broadcasts m 0 y to R. R recovers m = (m 0 y) 0 y . 



Theorem 7. The adversary gains no information about the message. 

Proof: First we note that at the end of the first phase, the adversary has no 
information about Pi{0) for each honest wire Wi. This is because pi is a random 
polynomial of degree t and the adversary has seen only t points on it (one 
corresponding to each faulty wire.) Furthermore, the adversary gains no new 
information in step 2. This can be seen as follows: each phase in step 2 involves 
broadcast of the 4-tuple (i, j,pi{aj), r[j). Since either wire Wi or wire Wj is faulty, 
this information is already known to the adversary. The other information that 
is broadcasted is which of wire Wi and wire wj is faulty, which is also known to 
the adversary. The theorem follows. □ 

6.3 Complexity 

The first phase of the protocol involves communication of O(n^) field elements. 
In step 2, each phase of communication results in the elimination of one wire. 
Therefore the number of phases in this step is 0(n). Since each phase involves 
the broadcast of 0(n) field elements, step 2 has a communication complexity 
of 0{n^) field elements. The final phase involves broadcast a string of length 
0{f) field elements. Therefore the entire protocol has communication complex- 
ity O(n^) field elements. Thus the protocol for a message M consisting of an 
arbitrary number ^ of field elements obtained by executing this protocol in par- 
allel [ times has a communication complexity of 0{ field elements, which 
is optimal when n = 2t + 1. 
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7 Conclusion 

In this paper we have contributed significantly to the progress of the state of the 
art in the problem of Perfectly Secure Message Transmission. The protocol of 
section 4.1 constitutes a major improvement over existing protocols tolerating 
static adversaries; in fact we have achieved the optimal communication complex- 
ity when n = 2t + 1 and r = 2. The protocol can be extended to achieve the 
optimal communication complexity when n > 2t -|- 1 as well, though we have 
not presented it here. It would be interesting to see if the lower bound we have 
proved in section 3 holds when r > 2 as well (for PSMT); we conjecture that it 
does. 

Perhaps our most interesting result is the average case single phase PSMT 
protocol. It is in fact surprising that such a protocol even exists; in addition our 
protocol is also very efficient in terms of communication complexity. 
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Abstract. Unconditionally secure multi-party computations in general, 
and broadcast in particular, are impossible if any third of the players can 
be actively corrupted and if no additional information-theoretic primitive 
is given. In this paper, we relativize this pessimistic result by showing 
that such a primitive can be as simple as noisy communication channels 
between the players or weakly correlated pieces of information. We con- 
sider the scenario where three players have access to random variables 
X, Y, and Z, respectively, and give the exact condition on the joint dis- 
tribution PxYZ under which unconditional broadcast is possible. More 
precisely, we show that this condition characterizes the possibility of real- 
izing so-called pseudo-signatures between the players. As a consequence 
of our results, we can give conditions for the possibility of achieving un- 
conditional broadcast between n players and any minority of cheaters 
and, hence, general multi-party computation under the same condition. 

Keywords: Unconditional security, pseudo-signatures, broadcast, multi- 
party computation, information theory. 



1 Motivation and Preliminaries 

1.1 Introduction 

Digital signatures [11, 19] are a powerful tool not only in the context of digital 
contract signing, but also as a basic primitive for cryptographic protocols such 
as electronic voting or secure multi-party computation. Much less known are 
so-called pseudo-signature schemes, which guarantee unconditional security — in 
contrast to classical digital-signature schemes. The inherent price for their higher 
security, however, is the signatures’ limited transferability: Whereas classical 
signatures can be arbitrarily transfered without losing conclusiveness, pseudo- 
signatures only remain secure for a fixed number A — the transferability — of trans- 
fers among different parties. Since the necessary number of signature transfers 
in a protocol is typically bounded by the number of involved parties, pseudo- 
signatures are, nevertheless, useful and offer a provably higher security level than 
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traditional signature schemes. For example, the authenticated broadcast proto- 
col in [13] can be based on pseudo-signatures and then guarantees unconditional 
(instead of computational) security against any number of corrupted players [25] . 

A pseudo-signature scheme among a number of players can either be set up 
by a mutually trusted party, by a protocol among the players when given global 
broadcast channels, or — as we will show — by exploiting an information source 
that provides the players with certain correlated pieces of information — a similar 
model has been considered in [21] in the context of secret-key agreement. 

In this paper, we consider the general case of an information source that pro- 
vides a set of n players with pieces of information distributed according to some 
given joint probability distribution. For the case of three players, we completely 
characterize when such an information source allows for setting up a pseudo- 
signature scheme. This result can be used for deriving a complete characteriza- 
tion of when unconditionally secure three-party computation — or broadcast, in 
particular — is achievable in the presence of an actively corrupted player. Fur- 
thermore, we give, in the same model, a sufficient condition for the achievability 
of unconditionally secure multi-party computation for any number n of players 
secure against t <n/2 actively corrupted players. 

1.2 Context and Previous Work 

Pseudo-signature schemes (PSS). The first pseudo-signature-like scheme was 
given in form of an information-checking protocol among three players [26]. In 
contrast to real pseudo-signatures, however, the signer is required to commit to 
her input value already during the setup of the scheme. 

The first PSS was introduced in [7] with the restriction to be secure only 
with respect to a correct signer. In [25], finally, a complete PSS was proposed 
for any transferability A and any number of corrupted players. 

Setting up a PSS. It was shown in [25] how to set up a PSS using global broadcast 
channels, where the dining-cryptographers protocol [5,4] was used. Obtaining a 
PSS from a common random source was considered in [15,16], but only with 
respect to three players and one particular probability distribution. 

Broadcast. The broadcast problem was introduced in [20]. It was proven that, 
in the standard model with secure channels between all pairs of players, but 
without the use of a signature scheme, broadcast is achievable if and only if 
the number t of cheaters satisfies t < n/3. Furthermore, it was shown that 
when additionally a signature scheme is given among the n players, then com- 
putationally secure broadcast is achievable for any number of corrupted players. 
The first efficient such protocol was given in [12]. In [25], an efficient protocol 
was given with unconditional security based on a pseudo-signature scheme with 
transferability t -I- 1. 

Multi-party computation (MPC). Broadcast — or the availability of signatures 
with sufficiently high transferability — is a limiting factor for general multi-party 




564 



Matthias Fitzi, Stefan Wolf, and Jiirg Wullschleger 



computation introduced in [27]. A complete solution with respect to computa- 
tional security was given in [18]. In [2,6], it was shown that in a model with 
only pairwise secure channels, MFC unconditionally secure against an active 
adversary is achievable if and only if t < n/3 players are corrupted. As shown 
in [1, 26], t < n/2 is achievable when global broadcast channels are additionally 
given — and this bound was shown tight. A protocol more efficient than those 
in [1,26] was given in [10]. 



1.3 Our Results 

We first consider a set of three players, connected in pairs by secure channels, 
where an additional information source provides the players with correlated 
pieces of information. We give a necessary and sufficient condition on the joint 
probability distribution of this side information for when a pseudo-signature 
scheme can be set up among the three players with a designated signer. Fur- 
thermore, we show that the tight condition for the achievability of broadcast or 
multi-party computation among three players unconditionally secure against one 
actively corrupted player is exactly the same as the one for a pseudo-signature 
scheme with respect to an arbitrary. The derived condition shows that pseudo- 
signature schemes and broadcast among three players are possible under much 
weaker conditions than previously known. 

We further consider the general case of n players, connected in pairs by 
secure channels, where, again, an additional information source provides the 
players with side information. For this model, and under the assumption that 
an active adversary can corrupt up to t < n/2 players, we show that MFC is 
possible under much weaker conditions than previously known. 



1.4 Model and Definitions 

We consider a set P = {Pi, . . . , P„} of n players that are connected by a com- 
plete, synchronous network of pairwise secure channels — in the presence of an 
active adversary who can select up to t players and corrupt them in an arbitrary 
way. Furthermore, we assume this adversary to be computationally unbounded. 
A player which does not get corrupted by the adversary is called eorrect. 



Pseudo-signatures. We follow the definition of pseudo-signature schemes as 
given in [25]. 

Definition 1. A pseudo-signature scheme (PSS) with transferability A among 
the players Pi, ... , P„, where Pi is the signer, satisfies the following properties. 

Correctness. If player Pi is correct and signs a message, then a correct player 
Pi accepts this message from Pi except with small probability. 
Unforgeability. A correct player Pi rejects any message that has not been signed 
by Pi except with small probability. 
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Transferability. A message signed by the correct player Pi can be transfered A 
times, e.g., via 

Pi Pii ^ Pi\+i I 

such that we have for each j < X and correct players Pi^ and Pi^^i that if 
Pi^ accepts a message m, then accepts the same message except with 
small probability. 

If the path A, . . . , i\+\ can be arbitrary, we call the scheme a PSS with arbitrary 
transfer paths, if the transfer is restricted to a specific path A, . . . , tv-i-i, we call 
it a PSS with transfer path ii, . . . , i\+i. 

The choice A = 1 will be sufficient in our case since any such PSS allows for 
broadcast for t < nj2 corrupted players [17]. 

Broadcast and Multi-party Computation. Broadcast is the problem of 
having a (possibly corrupted) sender distribute a value to every player such that 
all correct players are guaranteed to receive the same value. 

Definition 2. A protocol among players Pi,...,P„, where Pi is the sender 
and holds input Xs, and where every player Pi computes an output yi, achieves 
broadcast if it satisfies the following conditions. 

Validity. If the sender Pi is correct, then every correct player Pi computes the 
output yi = Xg. 

Consistency. All correct players Pi and Pj compute the same output value, i.e., 
yi = yj holds. 

Broadcast is a special case of the more general problem of multi-party com- 
putation (MPC), where the players want to evaluate in a distributed way some 
given function of their inputs and hereby guarantee privacy of these inputs as 
well as correctness of the computed result. From a qualitative point of view, 
the security of multi-party computation is often broken down to the conditions 
privacy, correctness, robustness, and fairness. In [8], it was shown that all these 
conditions can only be satisfied simultaneously if t < n/2 holds — the case to 
which we restrict our considerations in this paper. 



2 Dependent Parts and Simnlation of Random Variables 

In this section we introduce the notion of the dependent part of a random variable 
with respect to another, and a certain simulatability condition, defined for a 
triple of random variables. The dependent part of X from Y isolates the part of 
X that is dependent on Y. Note that we always assume that the joint distribution 
is known to all the players. 

Definition 3. Let X and Y be two random variables, and let f{x) = Py\x=x- 
The dependent part of X from Y is defined as A \ F := f{X). 
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The random variable X \ T is a function of X and takes on the value of the 
conditional probability distribution Py\x=x- 

Lemma 1. For all X and Y, we have X < — > {X \ Y) < — > Y, i.e., the 
sequence X,X \Y,Y is a Markov chain^ ■ 

Proof. Let K = f{X) = X \ Y. For all x G T — the range of X — and k = f{x), 
we have Py\x=x,K=k = PY\K=k, and, hence, Py\xK = Py\k- 

We will now show that K = X \Y is the part of X that a player who knows 

Y can verify to be correct. Lemma 2 shows that every K a player knowing X 
can construct that has the same joint distribution with Y as the actual K must 
indeed be identical with K . Lemma 3 shows that from K, a random variable X 
can be constructed which has the same joint distribution with Y as X. Hence, 
K is the largest part of X that someone knowing Y can verify to be correct. 

Lemma 2. Let X , K , K , and Y he random variables such that K = X Y , 

Y < — > X < — > K, and Pky = Pj^y hold. Then we have K = K. 

Proof We have K = f{X), P-j^^xy = Pk\x^ Pk = P-j^, and Py\x = Py\K- 
Let us have a look at a value k for which Py\x=k cannot be expressed as a 
linear combination of Py\x=xi for Xi G X with f{xi) yf k. (It is easy to see 
that such a k must exist.) Let S be the set of all x with f{x) = k. In order to 
achieve Py^-^^f. = Py\K=ki no x' not in S can be mapped to k by P-j^^x- Since 
P-x{k) = Pxik) holds, P-j^^x must map all values from S to k. 

We remove the elements of S from X, repeat the same argument for the next 
k, and continue this process until X is empty. Hence, P-x\^x niaps all x to f{x), 
and K = K holds. □ 

Lemma 3. Let X and Y be random variables, and let K = X \ Y . There 
exists a channel P-x\x — which is equal to Px\k — such that Pxy = P~xy holds, 
where P-j^y = ^k PkyPx\k- 

Proof Using Lemma 1, we get Pj^y = Y.kPKYPx\K = J2kPi<YPx\K = Pxy- 

□ 



The simulatability condition, which allows for determining the possibility of 
secret-key agreement over unauthenticated channels, was defined in [22] and 
further analyzed in [24]. It defines whether given Z, it is possible to simulate X 
in such a way that someone who only knows Y cannot distinguish the simulation 
of X from the true X. 

^ A sequence of three random variables A, B, C forms a Markov chain, denoted by 

A « > B « > C, if I{A\ C\B) = 0 holds or, equivalently, if we have Pc\ab{c, a, b) = 

Uc|b(c, 6) for all {a,b,c) G A X B X C. 
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Definition 4. Let X, y, and Z be random variables. Then X is simulatable by 
Z with respect to Y, denoted by 



simyiZ ^ X), 

if there exists a conditional distribution such that Pxy ~ Pxy holds, 

where P-^y = Ez PyzPx\z- 

Lemma 4. For all Pxyz, we have SYmy{Z X) if and only if 

simy{Z ^ {X \Y)) . 

Proof. Let K := X \ Y . K is a function of X and can be simulated whenever 
the same holds for X. On the other hand, let Pj^^y be a channel that simulates 
K. It follows from Lemma 3 that there exists a channel Px\K~ -which is equal 
to Px\K — such that the channel P^\z ■= E Px\T<Pk\z simulates X. □ 



Lemma 5. For all Pxyz, we have s\tiiz{Y [X, L]) if and only if X < — > 
Y < — > Z. 

Proof. Suppose first that we have sim^(y ^ [X, L]). There must exist a channel 
Pxy\Y such that Pj^yz = Pxyz holds, where Pxyz ~ 'll PyzPxy\y- 
K :=Y \ Z and K -.= Y \ Z. Because of Z < — > Y < — > Y and Pyy = Pyz, 
we have Z < — > Y < — > K and P^z ~ Pkz- It follows from Lemma 2 that K = K 
holds. From Lemma 1 follows that Py\kz = Py\k- We also have Px\xy = Px\y- 
Now, 



Pxyz ~ ^ PyzPxY\y — EE PkzPy\kzPxy\y 

V y k 

= E E Py\kPxy\y = E Pk^^Pxy\k 

k y k 

~ E PkzPxY\k ~ E PkzPY\kPx\kY ~ PyzPx\y ■ 

k k 

It follows that Px\YZ = Px\YZ ~ Px\y ~ Px\y holds and, hence, X < — > Y < — > 

Z. 

Suppose now that we have X < — > Y < — > Z. It follows Px\yz = Px\y- Let 
PxY\Y PxY\Y- We get 

Pxyz = E ^YzPxy^y = PyzPx\y = PyzPx\yz = Pxyz- 

V 

□ 
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3 Pseudo-signature Schemes 

3.1 The Case of Three Players 

We will state the exact condition under which a PSS can be set up from correlated 
pieces of information. We need the following lemma. 

Lemma 6 . Let Pxyz be the probability distribution of three random variables 
X , Y , and Z . Then the following three conditions are equivalent: 

1. There exist two channels and Pxy\y ^'^eh that Pxy ~ Pxy and 

Pxyz ~ Pxyz hold, where P-^y = Ylx P^yP~x\x’ P~xyz ~ Ylx PxyzP-x\x’ 
and Pxyz ~ PxzPxy\y ’ 

2 . simz(L^ [X\r,y]) , 

3. {X\Y )< — > r < — > z . 

Proof. Lemma 5 implies that 2. and 3. are equivalent. In the following we will 
prove that 1 . and 2 . are equivalent. 

Assume that 1. is true. We have simzfY — > [A,T]) for some X with Pxy = 
Pxy and Y < — > A < — > A. Le_^A = A \ A and A = A \ W We have 
Pky = P'KY and Y < — > A < — > K. From Lemma 2, it follows K = K. Since K 
is a function of A, we get fAvoziY [X \ Y,Y]). 

Assume now that 2. is true. Hence, there exists a channel P-xy\y such that 
P~KYZ ~ Pkyz holds for K := X \ Y. Lemma 3 implies that there exists a 
channel Px\k — which is equal to Px\k — such that P^y = Pxy holds. We set 
PxY\Y ■— Sfc Px\kP-ky\y and Pyix ■= Sfc Px\kPk\x to get 

Pxy = 51 P^yPx\x = 51 P^^ 51 Px\kPk\x = 51 Px\k 51 PxyPk\x 

X X k k X 

= 51 Px\rPky = 5^ Px\rPky = Pxy , 

k k 

Pxyz ~ 5Z PzzPxy\y ~ 5Z P^^ 5Z Px\rPtcy\y ~ 5Z Px\r 5Z PzzPt(y\y 

V V k k y 

— 51 PMkPxyz = 5Z Px\rP^zz = 5^ Px\R 5Z PxyzPr\x 

k k k X 

= ''^Pxyz'^Px\kPk\x = '^PxYzPx\x — Pxyz ■ 

X k X Q 

Our pseudo-signature protocol makes use of typical sequences. Intuitively, a 
sequence of independent realizations of a random variable is typical if the actual 
rate of occurrences of every specific outcome symbol in the sequence is close to 
the probability of this symbol. 

Definition 5. [3, 9] Let A be a random variable with distribution Px and range 
X, let n > 0 be an integer, and let 7 > 0. A sequence x” = (a;i, . . . , cc„) € A” 
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is called (strongly) ^-typical if, for all a G df, the actual number N{a,x'^) of 
appearances of a in a;” satisfies 



N{a,x^) 

n 



Px{a) 




It is a consequence of the law of large numbers that for every 7 > 0, suf- 
ficiently long sequences of independent realizations of a random variable are 
7-typical with overwhelming probability. 



Theorem 1. [3, 9] Let X" = Xi - ■ ■ Xn be a sequence of n independent real- 
izations of the random variable X with distribution Px and range X , and let 
0 < 7 < 1/2. Then 

Prob [X" is strongly ^-typical ] = 1 — 2“^^"'’' ^ . 



The following protocol allows Pi for signing a bit along the transfer path Pi 

P2 ^ Ps- 



Protocol 1 Let Pxyz be such that fiiTe\z{Y ^ [X \ T, T]) does not hold. Let 
K := X \ Y and L := [K, T] \ Z. Lemma 4 implies that there must exist <5 > 0 
such that for all channels P^jy, the statistical distance between the distributions 
Plz and P-p^ is at least S. 

Let n be an even integer, and let (dfi, Yi, Zi), . . . , {Xn, Z„) be n triples 
distributed independently according to Pxyz- Let 7 > 0 be a security parameter 
and n be large enough. Let Pi, P2, and P3 know {Xi , . . . , Xn), {Y \, . . . , Yn), and 
(Zi, . . . , Z„), respectively. Let, finally, m G {0, 1} be the value Pi wants to sign. 

- Pi calculates Ki := X^ \ Y* and sends (to, PTi+(„/2)m, • ■ • , Knj2+{n/2)m) to 
P2. 

- P2 checks whether the received Ki and the corresponding Yi are a 7-typical 
sequence with respect to Pky- If so, he accepts, calculates Li := \Ki,Yi] \ 
Zi, and sends (to, Li-t-(n/2)m5 ■ ■ ■ ? Pnj2-\-{nj2)n() to P3. 

- P3 checks whether the received Li and the corresponding Zi are a (5/2-typical 
sequence with respect to Plz ■ If so, he accepts. 

Theorem 2. Let {Xi, Yi, Zi), . . . , {Xn, Yn, Zn) be n triples distributed indepen- 
dently according to Pxyz- Let P\, P 2 , and P3 know the values Xi, Yi, and Zi, 
respectively- Let P\ be able to send messages to P 2 , and P 2 to P3. 

If s\to.z{Y ^ [ZT \ Y, Y]) does not hold and n is large enough, then Proto- 
col 1 achieves PSS for the three players with the transfer path Pi — > P2 — > P3 . 

Proof- We prove that Protocol 1 implements a PSS. First of all, it follows from 
Theorem 1 that the value from a correct sender Pi is accepted by P2 except 
with exponentially small probability. If P2 is correct and accepts a value and if 7 
is small enough. Lemma 2 implies that Pi must indeed have sent an arbitrarily 
large fraction (for sufficiently large N) of correct values Ki = Xi \ Yi to P2- 
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(Note that the knowledge of the values Xj for j ^ z do not help P\ to cheat 
since they are independent of Xi and Yi.) 

Therefore, also an arbitrarily large fraction of the values Li = \Ki,Yi] \ Zi 
are correct and — if P3 is correct — P3 will accept the values Li sent to him by P2 
(except with exponentially small probability). 

P2, however, cannot (except with exponentially small probability) send any 
other value than the one sent by Pi. Indeed, his ability to do so would imply 
the existence of a channel Pj^^y ^Tz are identical (see the 

proof of Lemma 6 in [23]); such a channel, however, does not exist because of 
the assumption stated at the beginning of the protocol. □ 



We now show that the condition of Theorem 2 for the achievability of a 
PSS among three players is tight, in other words, that sim.z{Y ^ [X \ T, T]) 
and simy(Z ^ [X \ Z,Z]) imply that no PSS with signer Pi is possible. In 
order to demonstrate impossibility, we use a similar technique as in [14]. There, 
the impossibility of broadcast among three players secure against one corrupted 
player was shown by analyzing a related system obtained by copying some of 
the players and rearranging the original players together with their copies in a 
specific way. 

Theorem 3. Let {Xi,Y\, Zi ), . . . , (X„, P„, Z„) he n triples distributed indepen- 
dently according to Pxyz- Let Pi, P2, and P3 know the values Xi, Yi, and Zi, 
respectively. Let the players be connected by pairwise secure channels. 

Ifsimz{Y ^ [X \ Y,Y]) and simy(Z ^ [X \ Z,Z]) hold, then there does 
not exist — for any n — a PSS for the three players with any transfer path and 
with Pi as the signer. 



Proof. Let us assume that there exists a protocol among the players Pi, P2, and 
P3 that achieves a PSS for the three players with transfer path Pi ^ P2 ^ P3. 
From Lemma 6, it follows that there exist channels P-x^x ^xy\y such that 



XF Pxyz 



PxY = P- 



Px' z Px'YZ 



= P 



= Pxyz hold, and P~x'^x Px'Z'\z such that Pxz = 



X'YZ' 



hold. 



Let P{ be an identical copy of Pi. We now rearrange the four players Pi, 
P2, P'3, and P( in the following way to form a new system. The analysis of that 
system then reveals that no PSS among the three original players is possible. 
Note that, in the new system, no player is corrupted: It is rather the arrangement 
of this new system that simulates corruption in the original system towards the 
players in the new system. 



- Pi is still connected to P2 as originally, but disconnected from P3, i.e., all 
messages Pi would send to P3 are discarded and no message P3 would send 
to Pi is ever received by Pi. 

- P2 is still connected to Pi and P3 as in the original system. 

- P3 is still connected to P2 as originally, but disconnected from Pi. Instead, 

P3 is connected to P{: All messages that P3 would send to Pi are delivered 

to P{ instead, and all messages P{ would send to P3 are indeed delivered to 

P 3 - 

- P{ is connected to P3 as originally, but disconnected from P2. 
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Furthermore, instead of Xi, let Pi have input Xt and P[ have input X^. Let 
them execute their local programs defined by the PSS protocol, where Pi signs 
the message m and P{ signs the message to'. 

- Since Pxy = Pxy holds, the joint view among Pi and P2 is indistinguishable 
from their view in the original system where Pi holds input to and P3 is 
corrupted in the following way: P3 cuts off communication to Pi, simulates 
P[ using the channel Px>z'\z produce the values X' and Z' , and acts 
towards P2 as if communicating with P[ instead of Pi (indistinguishability 
follows from P^'yz ~ ^x'yz')- Hence, by the correctness property, P2 must 
accept TO as signed by Pi. 

- The joint view of P2 and P3 is indistinguishable from their view in the original 

system where Pi is corrupted in the following way: Pi simulates player P{, 
uses the channel Px<^x his own and the channel P-x'\x and 

acts towards P3 as P[. Thus, by the transferability property, P3 must accept 
the transfered message to from P2. 

- Since Pxz = Px' z holds, the joint view of P{ and P3 is indistinguishable 
from their view in the original system^ where P[ holds input to' and P2 is 
corrupted in the following way: P2 cuts off communication to P[, simulates 
Pi using the channel Pxy\y produce the values X and Y, and acts towards 
P3 as if communicating with Pi instead of P{ (indistinguishability follows 
from P-xYZ ~ PxYz)- Hence, by the unforgeability property, P3 must reject 
the signature transferred to him by P2. 

However, this is impossible since P3 cannot accept and reject to at the same 
time. The proof for the transfer path Pi ^ P3 ^ P2 is analogous. Hence, there 
does not exist a PSS for any transfer path. □ 



If the condition of Theorem 3 does not hold, then there exists a transfer 
path — namely either Pi ^ P2 ^ P3 or Pi ^ P3 ^ P2 — for which Theorem 2 
can be applied. Therefore, the bound of Theorem 3 is tight, and we can state 
the exact condition under which a PSS for three players and a designated signer 
exists. 

Theorem 4. Let {Xi,Yi, Zi ), . . . , {Xn, Yn, Zn) be n triples distributed indepen- 
dently according to Pxyz- Let Pi, P2, and P3 know the values Xi, Yi, and Zi, 
respectively. Let the players pairwisely be connected by secure channels. 

There exists a PSS for the three players with transfer path Pi Pj 
Pk (j k) for large enough n if and only if either simzfY ^ [X \ Y,Y\) or 
svoiy{Z ^ [X \ Z,Z]) does not hold. 

Application of Lemma 5 leads to the following corollary. 



^ For simplicity, we assume the original system to consist of the players {P(,P2,P3} 
for this case. 
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Corollary 1. Let Z \), . . . , (X„, Z„) he n triples distributed indepen- 

dently according to Pxyz- Let Pi, P2, and P3 know the values Xi, Yi, and Zi, 
respectively. Let the players pairwisely be connected by secure channels. 

There exists a PSS for the three players with transfer path Pi Pj — > P^ 
(j 7^ k) for large enough n if and only if either {X \ Y) < — > Y < — > Z or 
(X \ Z) < — > Z < — > Y does not hold. 

We will now present a special case of noisy channels among three players 
for which our PSS works. This special case is related to the “satellite scenario” 
of [21] for secret-key agreement. 

Corollary 2. Let R be a binary random variable and let X , Y , and Z he random 
variables resulting from the transmission of R over three binary symmetric chan- 
nels with error probabilities ex, ey, and ez, respectively, such that 0 < < 1/2, 

0 < < 1/2 and 0 < £z < 1/2 hold. Let {Xi,Yi, Zi ), . . . , {Xn, Yn, Zn) be n 

triples generated independently this way. Let Pi, P2, and P3 be three players and 
assume that they know Xi, Yi, and Zi, respectively. Let, finally, the players pair- 
wisely he connected by secure channels. Then, for large enough n, there exists a 
PSS for the three players with arbitrary transfer path. 

Proof. We have that X \ y, X \ Z and X are — up to renaming — equal, and 
neither X < — > Y < — > Z nor X < — > Z < — > Y holds. □ 



Corollary 3. Let the players Pi, P2, and P3 be connected by a noisy broadcast 
channel. This is a channel for which Pi has an input hit X , and P2 and P3 
get output bits Y and Z , respectively, which result from sending X over two 
independent noisy channels with error probabilities 0 < £y < 1/2 and 0 < Sz < 
1/2. Then a PSS for the three players with arbitrary transfer path can he realized. 

Proof. Let the transfer path be Pi ^ P2 ^ P3. Pi sends n random bits over the 
channel. Both P2 and P3 check whether the received values are indeed random, 
that is, whether they are 72- and 73-typical. The values 72 and 73 are chosen 
such that even if Pi cheats, P2 does not accept if P3 does not either — except 
with small probability. The resulting joint distribution satisfies the condition of 
Corollary 2. □ 



3.2 The Case of More Than Three Players 

Theorem 2 can be generalized to p > 3 players in a natural way. Assume 
that p players Pi, . . . ,Pp want to implement a PSS along the transfer path 
Pj ^ . . . ^ Pp. Let (A/, . . . , Af), . . . , (A^, . . . , AP) be n lists distributed inde- 
pendently according to Px^ - xp- Let player Pj know the values A/. 

As in the protocol for three players, player Pi sends m together with his 
signature (m, > K/2+(nl2)J^ where A/ := X} \ A/, to P2. P2 is 

able to check whether Pi sent the correct values A/ or not, and he only accepts 
the signature if almost all values A/ were correct. 




Pseudo-signatures, Broadcast, and Multi-party Computation 



573 



Now we let P 2 sign the value m himself, using the random variable , K}]. 
(Since he only received half of the values Kl , he is able to sign to, hut not 1 — to.) 
He sends (to, • • • , Kl/ 2 +(n/ 2 )J^ where Kf := [Xf, K}] \ Xf, to Pg- 

Now P 3 can check the signature and, if he accepts, sign the value to himself, 
and so forth. Note that the security parameter for every signature must be less 
restrictive than the previous one, because some of the received Kf may have 
been faulty. Nevertheless, the error probability remains exponentially small in 
n. Player Pj is not able to forge a signature if 

simxi+i(X^' ^ [K^-^,X^]) 

does not hold. Hence, we get the following theorem. 

Theorem 5. Let {X \^ . . . , Xf), . . . , {X ^, . . . , XP) be n lists distributed indepen- 
dently according to Px^ - xp- Let P\, . . . ,Pp be p players, and let Pj know all the 
Xl . Assume that for all i, player Pi can send messages to Pi+i in a secure way 
(where Pp+i = Pi). Let := X^ \ X^ and := [X ^ \ X^~^^ for 
j G { 2 , ...,n- 1 }. 

Then, for large enough n, there exists a PSS for p players with the transfer 
path Pi ^ ^ Pp and tolerating one corrupted player if there does not exist 

j >2 with 

simxi+i(X^' ^ [K^-\X^]) . 

4 Broadcast and Multi-party Computation 

4.1 The Case of Three Players 

We will now apply the results of Section 3 and state the exact condition under 
which broadcast is possible for three players. 

Theorem 6 . Let {Xi, Yi, Zi ), . . . , (X„, T„, Z„) be n triples distributed indepen- 
dently according to Pxyz- Assume that Pi, P 2 , and P 3 know the values Xi, Yi, 
and Zi, respectively. Let all players pairwisely be connected by secure channels. 

If n is large enough and simzfY ^ [X \ Y,Y]) or simy(Z ^ [X \ Z, Z]) 
does not hold, then there exists a broadcast protocol for three players with sender 

Pi. 

Proof. If either simy(T ^ [X \ F, T]) or simy (Z ^ [X \ Z, Z]) does not hold, 
it is possible to set up a PSS with either the transfer path Pi ^ P 2 ^ P 3 or 
Pi ^ P 3 ^ P 2 . It was shown in [16] that this is sufficient to construct a broad- 
cast protocol for three players. □ 



Theorem 7. Let {Xi,Yi, Zi), . . . , (X„, F„, Z„) he n triples distributed indepen- 
dently according to Pxyz. Assume that Pi, P2, and P3 know the values Xi, Yi, 
and Zi, respectively. Let all players pairwisely he connected by secure channels. 

If both sunz{Y — > [X \ F, F]) and simy(Z ^ [X \ Z, Z]) hold, then there 
exists no broadcast protocol (for any n) for three players with sender Pi. 
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Proof. From Lemma 6, it follows that there exist channels ^xy\y such 

that PxY = PxY ^Tyz ~ ^XYZ hold, as well as -Py'ix ^x'z'\z such 

that Pxz = Px'z ^x'yz ~ ^x'yz' hold. 

As in the proof of Theorem 3, we duplicate the sender Pi and rearrange the 
four resulting players in the following way: We disconnect Pi and P3 but connect 
P3 to P{ instead, whereas P2 stays connected as originally. 

Pi gets input Aj, constructed by applying the channel Px^x 

input X , constructed by applying the channel P-x'\^x -^2 gets input 1^, 

and P3 gets input Zi. 

We give Pi and P[ two different inputs m and m' and let them all execute 
the protocol; they all output a value. We now consider three scenarios of an 
original system involving some of the players Pi, P{, P2, and P3 of the new 
system obtained by interconnecting all four players as described above. 

- Let Pi and P2 be correct and P3 be corrupted. Using his variables Zi, P3 
can produce A' and Z' such that P2 cannot distinguish them from A^ and 
Zi. Furthermore, P2 cannot distinguish Xi, which he receives from Pi, from 
Xi. P3 simulates P[, giving him the values A' as input, and using the values 
Z[ himself. 

- Let P[ and P3 be correct and P2 be corrupted. Using his variables Yi, P2 
can produce Aj and Yi such that P3 cannot distinguish them from Xi and 
Yi. Furthermore, P3 cannot distinguish X^, which he receives from Pi, from 
Xi. P2 simulates Pi, giving him the values Xi as input, and using the values 
Yi himself. 

- Let P2 and P3 be correct and Pi be corrupted. Using his variables Xi, Pi 
can produce Xi and A^. He can simulate player P{ with A^ as input and 
use Xi for himself. 

The joint view of the players Pi and P2 in the new system is indistinguishable 
from their view in the first scenario, and they must thus output m. The joint 
view of the players P{ and P3 in the new system is indistinguishable from their 
joint view in the second scenario, and they, therefore, output m'. But also the 
joint view of players P2 and P3 in the new system is indistinguishable from their 
view in the third scenario, and thus they must agree on their output value, which 
contradicts what we derived above. Therefore, no broadcast protocol can exist. □ 

Using Theorems 6 and 7 we can now state the exact condition under which 
broadcast and MFC among three players are possible. 

Theorem 8. Let (Ai, Yi, Zi), . . . , (A„, U„, Z„) be n triples distributed indepen- 
dently according to Pxyz- Let Pi, P2, and P3 know the values Xi, Yi, and Zi, 
respectively. Let all players pairwisely be connected by secure channels. Broadcast 
with sender Pi is possible if and only if 

- (simz{Y ^ [X \Y,Y]) A simy(Z ^ [A \ Z, Z])) 



holds. 
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Corollary 4. Let Z \), . . . , (X„, Z„) he n triples distributed indepen- 

dently according to Pxyz- Let Pi, P2, and P3 know the values Xi, Yi, and Zi, 
respectively. Let all players pairwisely he connected by secure channels. 
Broadcast with sender P\ is possible if and only if 

^ (^{X\Y )< — A {X\Z)^Z< — >Y^ 

holds. 

Lemma 7. Given three players Pi, P2, and P3, connected pairwisely by secure 
channels and additionally by broadcast channels from Pi to {^2,^3} and from 
P2 to {Pi, P3} (but no other primitive such as a PSS among the players). Then 
broadcast from P3 to {Pi,P2} is impossible. 

Proof. This follows from a generalization of the proof in [14], where only pair- 
wise channels are assumed. □ 



Theorem 9. Let {Xi,Yi, Zi), . . . , {Xn, Yn, Zn) he n triples distributed indepen- 
dently according to Pxyz. Let Pi, P2, and P3 know the values Xi, Yi, and Zi, 
respectively. Let all players pairwisely be connected by secure channels. 

Broadcast with arbitrary sender as well as general multi-party computation 
secure against one corrupted player are possible if and only if 

^(simz{Y ^[X\Y,Y]) A simy (Z ^ [X \ Z, Z])) A 

- (simjf (Z ^ [r \ Z, Zj) A simziX ^ [F \ X, X])) A 

- (simjf (F ^ [Z \ F, F]) A simy(X ^ [Z \ X, X])J 

holds. 

Proof. The condition is sufficient for the possibility of broadcast because of The- 
orem 8 and Lemma 7. The achievability of multi-party computation then follows 
from [1,26,10]. Furthermore, since broadcast is a special case of multi-party 
computation, the impossibility of broadcast immediately implies the impossibil- 
ity of MFC. □ 



Corollary 5. Let {Xi,Yi, Zi), . . . , (Af„, F„, Z„) he n triples distributed indepen- 
dently according to Pxyz- Let Pi, P 2 , and P 3 know the values Xi, Yi, and Zi 
respectively. Let all players pairwisely be connected by secure channels. 

Broadcast with arbitrary sender as well as general multi-party computation 
secure against one corrupted player are possible if and only if 

~^Ux\Y)< — >Y < — > Z A (X \ Z) < — > Z < — > f) A 
^UY\Z )< — > Z < — > X A {Y\X )< — > X < — > z) A 
^({Z\Y)< — >Y < — A (Z\X)< — — >y) 



holds. 
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4.2 The Case of More than Three Players 

Corollary 6. Let be n players. Let all players pairwisely he con- 

nected by secure channels. Furthermore, let every triple of players {Pi, Pj, Pk) 
have enough independent realizations of X"^, , and X’^ , respectively, such that 

either ^ [X’' \ X^,X^]) or ^ [X’’ \ X’^,X'^]) does not 

hold. Then broadcast and multi-party computation unconditionally secure against 
t < n/2 corrupted players are achievable. 

Proof. From Theorem 9, it follows that any triple of players can execute a broad- 
cast protocol. Using the protocol from [17], broadcast for n players tolerating 
t < n/2 corrupted players can be achieved. Using [1, 26, 10], a protocol for uncon- 
ditional MFC can be constructed that can tolerate t < n/2 corrupted players. 

□ 



5 Concluding Remarks 

In the model of unconditional security, we have completely characterized the 
possibility of pseudo-signatures, broadcast, and secure multi-party computation 
among three players having access to certain correlated pieces of information. 
Interestingly, this condition is closely related to a property called (non-) simu- 
latability previously studied in an entirely different context, namely information- 
theoretic secret-key agreement. 

As a consequence of this result, we gave a new, weaker condition for the 
possibility of achieving unconditional broadcast between n players and any mi- 
nority of cheaters and, hence, general multi-party computation under the same 
conditions. 
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